mikemikeee

Registered
May 24, 2018
1
0
1
đà nẵng
cPanel Access Level
Website Owner
Hello all,

Have some wierdness in my logs, wondering if someone can enlighten me as to why, I'm regularly seeing extracts like the following:

Code:
Oct 25 11:01:05 box named[14994]: lame server resolving 'tests.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'zendextensionmanager.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving '4.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'pdf.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'geoip.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'mailparse.so' (in 'so'?): 1.2.3.4#53

These are all PECL so's, most of which I dont actually have on the server that is doing it which makes it even wierder.

I have checked over the machine is question thoroughly, and cant find anything, anywhere, in any logs mentioning these modules (have spent hours manually rummaging through the exim logs, syslogs and apache domlogs/error logs etc)

I have checked through all the listening process on the server and nothing abnormal shows there, rkhunter and chkrootkit are coming back clean so I am lost as to what is causing this.

The only potential cause I can see for this is some form of XSS attack, but I cant find anything at all in the logs to back this up, so wondering if anyone has any ideas?
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463
Hello,

The "lame server resolving" message indicates your server is not authoritative for the domain names referenced in the message. It's difficult to know for sure where the connection attempt is coming from for those requests (e.g. geoip.so, pdf.so), but the log entry itself doesn't suggest the system is vulnerable. You may want to contact a system administrator to review your system and verify there are no security issues:

System Administration Services | cPanel Forums

Thank you.