WEIRD thing happened when I restarted bind

[junglecat]

I got a system mail from one of my servers that bind had failed. Since I already had WHM open, I just went to restart services and restarted bind from there.
This is something I've done more than a few times, and when I do this, a bunch of stuff comes up that shows all the sites and ip's on the server.

But what happened this time, a bunch of domains and ip's that are NOT on the server and never have been came up.
These are ip's I've never had on any server, and I have never hosted these sites. This is not a pre-owned server, it was built brand new for me.
I checked parked domains and subdomains to see if there was anything weird going on there, but only 1 parked domain (that I parked myself), and one subdomain that a client has.
Below is the log, with the "real" domains and ip's edited but the bogus ones are all unedited, they are visible below.
Does anyone have any idea at all what might be going on here and how I can fix whatever is wrong??



(the text is too long for the post so I will reply with the log)

 

[junglecat]

Attempting to restart named
Waiting for named to restart.... . . . . . . . . . . finished.

named status named 4873 4.5 0.3 39688 3564 ? S 22:58 0:00 /usr/sbin/named -u named

named started ok Apr 5 22:58:42 server3 named[5622]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:42 server3 named[5622]: shutting down: flushing changes Apr 5 22:58:42 server3 named[5622]: stopping command channel on 127.0.0.1#953 Apr 5 22:58:42 server3 named[5622]: no longer listening on 127.0.0.1#53 Apr 5 22:58:42 server3 named[5622]: no longer listening on XXX.XX.XX.XXX#53 Apr 5 22:58:42 server3 named[5622]: no longer listening on XXX.XX.XX.XXX#53 Apr 5 22:58:42 server3 named[5622]: no longer listening on XXX.XX.XX.XXX#53 Apr 5 22:58:42 server3 named[5622]: no longer listening on XXX.XX.XX.XXX#53 Apr 5 22:58:42 server3 named[5622]: exiting Apr 5 22:58:42 server3 named: succeeded Apr 5 22:58:43 server3 named[4873]: starting BIND 9.2.4rc6 -u named Apr 5 22:58:43 server3 named[4873]: using 2 CPUs Apr 5 22:58:43 server3 named[4873]: loading configuration from '/etc/named.conf' Apr 5 22:58:43 server3 named[4873]: no IPv6 interfaces found Apr 5 22:58:43 server3 named[4873]: listening on IPv4 interface lo, 127.0.0.1#53 Apr 5 22:58:43 server3 named[4873]: listening on IPv4 interface eth0, XXX.XX.XX.XXX#53 Apr 5 22:58:43 server3 named: named startup succeeded Apr 5 22:58:43 server3 named[4873]: listening on IPv4 interface eth0:1, XXX.XX.XX.XXX#53 Apr 5 22:58:43 server3 named[4873]: listening on IPv4 interface eth0:2, XXX.XX.XX.XXX#53 Apr 5 22:58:43 server3 named[4873]: listening on IPv4 interface eth0:3, XXX.XX.XX.XXX#53 Apr 5 22:58:43 server3 named[4873]: command channel listening on 127.0.0.1#953 Apr 5 22:58:43 server3 named[4873]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: loaded serial 2005013001 Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: loaded serial 2005020501 Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: loaded serial 2005020205 Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: loaded serial 2005020201 Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: loaded serial 2005013001 Apr 5 22:58:43 server3 named[4873]: zone localhost/IN: loaded serial 42 Apr 5 22:58:43 server3 named[4873]: zone ns5.hostname.net/IN: loaded serial 2005013002 Apr 5 22:58:43 server3 named[4873]: zone ns6.hostname.net/IN: loaded serial 2005013002 Apr 5 22:58:43 server3 named[4873]: zone EDITED.net/IN: loaded serial 2005013001 Apr 5 22:58:43 server3 named[4873]: zone EDITED.net/IN: loaded serial 2005013001 Apr 5 22:58:43 server3 named[4873]: running Apr 5 22:58:43 server3 named[4873]: zone EDITED.net/IN: sending notifies (serial 2005013001) Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: sending notifies (serial 2005013001) Apr 5 22:58:43 server3 named[4873]: zone ns5.hostname.net/IN: sending notifies (serial 2005013002) Apr 5 22:58:43 server3 named[4873]: zone ns6.hostname.net/IN: sending notifies (serial 2005013002) Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: sending notifies (serial 2005013001) Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: sending notifies (serial 2005020205) Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: sending notifies (serial 2005020201) Apr 5 22:58:43 server3 named[4873]: received notify for zone 'EDITED.net' Apr 5 22:58:43 server3 named[4873]: zone EDITED.net/IN: sending notifies (serial 2005013001) Apr 5 22:58:43 server3 named[4873]: zone EDITED.com/IN: sending notifies (serial 2005020501) Apr 5 22:58:43 server3 named[4873]: received notify for zone 'EDITED.com' Apr 5 22:58:43 server3 named[4873]: received notify for zone 'EDITED.net' Apr 5 22:58:43 server3 named[4873]: received notify for zone 'ns6.hostname.net' Apr 5 22:58:43 server3 named[4873]: received notify for zone 'EDITED.com' Apr 5 22:58:43 server3 named[4873]: received notify for zone 'ns5.hostname.net' Apr 5 22:58:43 server3 named[4873]: received notify for zone 'EDITED.com' Apr 5 22:58:43 server3 named[4873]: received notify for zone 'EDITED.com' Apr 5 22:58:43 server3 named[4873]: received notify for zone 'EDITED.com' Apr 5 22:58:45 server3 named[4873]: lame server resolving 'pleasedropthishost401068.cisdns.biz' (in 'cisdns.BIZ'?): 66.227.114.106#53 Apr 5 22:58:45 server3 named[4873]: lame server resolving 'pleasedropthishost401069.cisdns.biz' (in 'cisdns.BIZ'?): 66.227.114.106#53 Apr 5 22:58:45 server3 named[4873]: lame server resolving 'pleasedropthishost401068.cisdns.biz' (in 'cisdns.BIZ'?): 66.227.114.105#53 Apr 5 22:58:45 server3 named[4873]: lame server resolving 'pleasedropthishost401069.cisdns.biz' (in 'cisdns.BIZ'?): 66.227.114.105#53 Apr 5 22:58:47 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:48 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:48 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:48 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:48 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:49 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:49 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:49 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:52 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:52 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:52 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:52 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:53 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:53 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:53 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:53 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:54 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:54 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:54 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:54 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:54 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:55 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:55 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.46#53 Apr 5 22:58:55 server3 named[4873]: lame server resolving 'egoldexchangers.com' (in 'egoldexchangers.com'?): 213.212.208.47#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.112#53 Apr 5 22:58:58 server3 named[4873]: lame server resolving 'theotherside1.co.uk' (in 'theotherside1.CO.UK'?): 67.15.24.113#53

 

[junglecat]

OMG I just restarted bind again and an entirely DIFFERENT set of bogus ip's and domains came up, domains like 'ebookspublication.com' and 'whypayretail4computers.com'

 

[AndyReed]

It seems that you're having a serious DNS problem. PM me if you need help or send an email note to [email protected]

 

[rachweb]

Check this http://www.dnsreport.com/tools/dnsreport.ch?domain=egoldexchangers.com. How is your nameservers??

 

[junglecat]

Check this http://www.dnsreport.com/tools/dnsreport.ch?domain=egoldexchangers.com. How is your nameservers??

Those are not my nameservers and not even similar to my ip's
And I have never hosted that domain.

 

[rachweb]

check your hosts file. And how is your resolving (at /etc/resolv.conf)

 

[junglecat]

They show my domain and ip's but I don't know if they are configured correctly because I don't know what is supposed to be there.

(hate being such a n00b but the good news is I learn an incredible lots of new stuff when something goes wrong)



/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost
216.66.12.132 server3.affiliate-sites.net server3



/etc/resolv.conf

search localhost
nameserver 216.66.12.132
nameserver 216.66.12.133

 

[rachweb]

They show my domain and ip's but I don't know if they are configured correctly because I don't know what is supposed to be there.

(hate being such a n00b but the good news is I learn an incredible lots of new stuff when something goes wrong)



/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost
216.66.12.132 server3.affiliate-sites.net server3



/etc/resolv.conf

search localhost
nameserver 216.66.12.132
nameserver 216.66.12.133

In the resolv.conf file must you have this:

domain affiliate-sites.net
nameserver 216.66.12.132
nameserver 216.66.12.133

 

[junglecat]

restarted bind again to see what I get, these are the domains that came up (that I don't host and never saw before)

'challenge2005.com'
'webonline.BIZ'
'makingmoney2.BIZ'
'theotherside1.co.uk'

and of course a lot of ip's and nameservers I never saw before.

 

[rachweb]

How is your named.conf. Can you send me that file so i can see what it is

 

[junglecat]

In the resolv.conf file must you have this:

domain affiliate-sites.net
nameserver 216.66.12.132
nameserver 216.66.12.133

Wow, COOL, I edited it then restarted bind again and this time nothing came up except my own ip's and the domains that are hosted on that server.

THANKS!!

 

[junglecat]

How is your named.conf. Can you send me that file so i can see what it is

ok, will pm that to you as soon as I find it.

 

[dezignguy]

hmm, could you possibly be affected by the dns cache poisoning attacks that have been going on lately?

See the SANS site for more info...
http://isc.sans.org/diary.php?date=2005-04-04
It's not supposed to directly affect UNIX servers though so maybe that's not the case... but it kinda sounds like it to me. If your Bind configuration is insecure, it's possible that you could be affected.