The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lame server resolving PHP module names?

Discussion in 'General Discussion' started by nickp666, Oct 25, 2007.

  1. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    Hello all,

    Have some wierdness in my logs, wondering if someone can enlighten me as to why, I'm regularly seeing extracts like the following:

    Code:
    Oct 25 11:01:05 box named[14994]: lame server resolving 'tests.so' (in 'so'?): 205.166.226.38#53
    Oct 25 11:01:05 box named[14994]: lame server resolving 'zendextensionmanager.so' (in 'so'?): 205.166.226.38#53
    Oct 25 11:01:05 box named[14994]: lame server resolving '4.so' (in 'so'?): 205.166.226.38#53
    Oct 25 11:01:05 box named[14994]: lame server resolving 'pdf.so' (in 'so'?): 205.166.226.38#53
    Oct 25 11:01:05 box named[14994]: lame server resolving 'geoip.so' (in 'so'?): 205.166.226.38#53
    Oct 25 11:01:05 box named[14994]: lame server resolving 'mailparse.so' (in 'so'?): 205.166.226.38#53
    
    These are all PECL so's, most of which I dont actually have on the server that is doing it which makes it even wierder.

    I have checked over the machine is question thoroughly, and cant find anything, anywhere, in any logs mentioning these modules (have spent hours manually rummaging through the exim logs, syslogs and apache domlogs/error logs etc)

    I have checked through all the listening process on the server and nothing abnormal shows there, rkhunter and chkrootkit are coming back clean so I am lost as to what is causing this.

    The only potential cause I can see for this is some form of XSS attack, but I cant find anything at all in the logs to back this up, so wondering if anyone has any ideas?

    TIA
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    FURTHER NOTE: Seems to be occuring at 1 minute past every hour

    I have no cron jobs in any users crontab at that time, and cron.hourly only has modsecparse & logcheck in it
     
  3. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    It looks like its spamassassin doing its URIBL checks thats causing it as every time it occurs there are a new batch of mails heading for mailscanner, so I guess that answers my question.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Some of the so's look like PHP extensions. But that is all I can add.
     
  5. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    as stated in the post and the name ;) half asleep kenneth? :)
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Apparently I am :rolleyes:
     
Loading...

Share This Page