resolv.conf weird problem, its content keeps changing with encrypted content

Issues related to configuring your network
Post Reply
alexfox20
Posts: 3
Joined: 2020/06/25 08:51:26

resolv.conf weird problem, its content keeps changing with encrypted content

Post by alexfox20 » 2022/01/20 12:10:14

I have a wired problem, resolv.conf file keeps getting attributes even if i removed it, it returns after a few seconds:

# lsattr /etc/resolv.conf:
----i----------- /etc/resolv.conf

# chattr -i /etc/resolv.conf
# lsattr /etc/resolv.conf:
---------------- /etc/resolv.conf

After a few seconds, it returns again!! :

# lsattr /etc/resolv.conf:
----i----------- /etc/resolv.conf

Also, /etc/resolv.conf value has been changed from my local DNS to "223.6.6.6" and a line of encrypted content like this:

# cat /etc/resolv.conf:
nameserver 223.6.6.6
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@

And resolv.conf file becomes unchangeable. I have made sure that NIC is configured well.

Any ideas please??

Thanks in advance.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: resolv.conf weird problem, its content keeps changing with encrypted content

Post by TrevorH » 2022/01/20 12:42:06

"223.6.6.6" is an ip address that whois says belongs to alibaba in China. They have a cloud service that anyone can rent a VM from. I would be very very suspicious about this - I would guess that you've been hacked and there is a foreign process running that changes the contents of resolv.conf back to the attackers DNS server so that any attempt you make to contact anywhere else is redirected to them. That process presumably then makes the resolv.conf file immutable to stop an admin from changing it.

Remove the machine from the network, boot from installation media in rescue mode (an option off the troubleshooting menu) and backup all your data then get ready to reinstall the machine from scratch. Inspect any data that you restore to the newly installed machine to make sure you are not restoring the compromise.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply