Lame server resolving errors
Hello all,
Have some wierdness in my logs, wondering if someone can enlighten me as to why, I'm regularly seeing extracts like the following:
Code:
Oct 25 11:01:05 box named[14994]: lame server resolving 'tests.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'zendextensionmanager.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving '4.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'pdf.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'geoip.so' (in 'so'?): 1.2.3.4#53
Oct 25 11:01:05 box named[14994]: lame server resolving 'mailparse.so' (in 'so'?): 1.2.3.4#53
These are all PECL so's, most of which I dont actually have on the server that is doing it which makes it even wierder.
I have checked over the machine is question thoroughly, and cant find anything, anywhere, in any logs mentioning these modules (have spent hours manually rummaging through the exim logs, syslogs and apache domlogs/error logs etc)
I have checked through all the listening process on the server and nothing abnormal shows there, rkhunter and chkrootkit are coming back clean so I am lost as to what is causing this.
The only potential cause I can see for this is some form of XSS attack, but I cant find anything at all in the logs to back this up, so wondering if anyone has any ideas?
Please sign in to leave a comment.
Comments
0 comments