pitr.net

For a while, my internal linux machine was sending strange DNS queries to my providers’ DNS servers.

Packets sniffed with tshark:
0.000000 192.168.1.10 -> 217.19.16.131 DNS Standard query A eth1

Tcpdump adds the port number by default as well:

21:15:36.795149 IP 192.168.1.10.32781 > 217.19.16.131.53:32834+ A? eth1. (22)

Running a loop on lsof:

while :; do lsof -iUDP

Allowed me to catch the bad process:

nmbd 5468 root 9u IPv4 26837 UDP 192.168.1.10:32783->customer.cambrium.nl:domain

Looking at samba’s configuration file, searching for ‘eth1′..:

interfaces = eth1/255.255.255.0


Baaad ubuntu, m'kay.

Trackback URI | Comments RSS