"network unreachable resolving"

Hello
3 hours ago the server stop to redirect on alls my websites.
Looks like dns bug…
here the journal:
Thanks to help me, please.
Stéphane

May 16 11:11:04 s58462 named[703]: network unreachable resolving ‘_http._tcp.ppa.launchpad.net/SRV/IN’: 2001:500:d937::30#53
May 16 11:11:04 s58462 named[703]: network unreachable resolving ‘_http._tcp.ppa.launchpad.net/SRV/IN’: 2001:503:eea3::30#53
May 16 11:11:04 s58462 named[703]: network unreachable resolving ‘_http._tcp.ppa.launchpad.net/SRV/IN’: 2001:502:1ca1::30#53
May 16 11:11:04 s58462 named[703]: network unreachable resolving ‘_http._tcp.ppa.launchpad.net/SRV/IN’: 2001:502:8cc::30#53
May 16 11:11:04 s58462 named[703]: network unreachable resolving ‘_http._tcp.ppa.launchpad.net/SRV/IN’: 2001:503:83eb::30#53
May 16 11:11:04 s58462 saslauthd[733]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
May 16 11:11:04 s58462 saslauthd[733]: : auth failure: [user=anhyeuem@leaseweb.net] [service=smtp] [realm=leaseweb.net] [mech=pam] [reason=PAM auth error]
May 16 11:11:04 s58462 postfix/smtpd[13556]: warning: unknown[212.70.149.57]: SASL LOGIN authentication failed: authentication failure
May 16 11:11:04 s58462 postfix/smtpd[18732]: connect from unknown[5.34.207.98]
May 16 11:11:04 s58462 named[703]: network unreachable resolving ‘23.207.34.5.in-addr.arpa/PTR/IN’: 2001:13c7:7002:3000::14#53
May 16 11:11:04 s58462 named[703]: network unreachable resolving ‘_http._tcp.ppa.launchpad.net/SRV/IN’: 2001:501:b1f9::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:503:eea3::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:503:d2d::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:502:1ca1::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:502:8cc::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:500:d937::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:503:83eb::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:503:d414::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:501:b1f9::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:503:eea3::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:503:83eb::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:502:1ca1::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:500:d937::30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:502:8cc::30#53
May 16 11:11:05 s58462 postfix/smtpd[13556]: disconnect from unknown[212.70.149.57] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘ns1.dns.nl/AAAA/IN’: 2001:7fd::1#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘ns3.dns.nl/AAAA/IN’: 2001:7fd::1#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘ns2.dns.nl/AAAA/IN’: 2001:7fd::1#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘_http._tcp.ppa.launchpad.net/SRV/IN’: 2001:503:231d::2:30#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘pri.authdns.ripe.net/A/IN’: 2001:13c7:7002:3000::14#53
May 16 11:11:05 s58462 named[703]: network unreachable resolving ‘pri.authdns.ripe.net/AAAA/IN’: 2001:13c7:7002:3000::14#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:502:7094::30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:500:856e::30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com/A/IN’: 2001:503:231d::2:30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:502:7094::30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:503:d414::30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:500:856e::30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:501:b1f9::30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:503:231d::2:30#53
May 16 11:11:06 s58462 named[703]: network unreachable resolving ‘www.peepso.com.dedi.leaseweb.net/AAAA/IN’: 2607:f5b5::53#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns2.peepso.com/AAAA/IN’: 2001:500:1::53#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns1.peepso.com/AAAA/IN’: 2001:500:1::53#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns3.dns.nl/AAAA/IN’: 2001:500:a8::e#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns1.dns.nl/AAAA/IN’: 2001:500:a8::e#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns2.dns.nl/AAAA/IN’: 2001:500:a8::e#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns1.dns.nl/AAAA/IN’: 2001:503:ba3e::2:30#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns3.dns.nl/AAAA/IN’: 2001:503:ba3e::2:30#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns2.dns.nl/AAAA/IN’: 2001:503:ba3e::2:30#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns1.dns.nl/AAAA/IN’: 2001:dc3::35#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns3.dns.nl/AAAA/IN’: 2001:dc3::35#53
May 16 11:11:07 s58462 named[703]: network unreachable resolving ‘ns2.dns.nl/AAAA/IN’: 2001:dc3::35#53
May 16 11:11:07 s58462 postfix/smtpd[11574]: connect from unknown[5.34.207.98]
May 16 11:11:08 s58462 saslauthd[742]: pam_unix(smtp:auth): check pass; user unknown
May 16 11:11:08 s58462 saslauthd[742]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
May 16 11:11:08 s58462 named[703]: client @0x7f632c1b1180 52.175.197.200#56585 (psychedelique.org): query (cache) ‘psychedelique.org/A/IN’ denied
May 16 11:11:08 s58462 named[703]: network unreachable resolving ‘ns1.dns.nl/AAAA/IN’: 2001:503:c27::2:30#53
May 16 11:11:08 s58462 named[703]: network unreachable resolving ‘www.host.universite.org.dedi.leaseweb.net/AAAA/IN’: 2607:f5b5::53#53
May 16 11:11:09 s58462 postfix/smtpd[13554]: connect from unknown[212.70.149.57]
May 16 11:11:09 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com.dedi.leaseweb.net/A/IN’: 2607:f5b5::53#53
May 16 11:11:09 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/A/IN’: 2001:503:39c1::30#53
May 16 11:11:09 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/AAAA/IN’: 2001:503:39c1::30#53
May 16 11:11:09 s58462 named[703]: network unreachable resolving ‘Aleksey in Launchpad’: 2001:503:39c1::30#53
May 16 11:11:09 s58462 named[703]: network unreachable resolving ‘_http._tcp.security.ubuntu.com/SRV/IN’: 2001:503:39c1::30#53
May 16 11:11:09 s58462 named[703]: network unreachable resolving ‘security.ubuntu.com/A/IN’: 2001:503:39c1::30#53
May 16 11:11:09 s58462 named[703]: network unreachable resolving ‘security.ubuntu.com/AAAA/IN’: 2001:503:39c1::30#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘98.207.34.5.in-addr.arpa/PTR/IN’: 2001:500:14:6100:ad::1#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘98.207.34.5.in-addr.arpa/PTR/IN’: 2620:38:2000::53#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘downloads.linux.hpe.com.dedi.leaseweb.net/AAAA/IN’: 2607:f5b5::53#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:500:d937::30#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘98.207.34.5.in-addr.arpa/PTR/IN’: 2001:dd8:12::53#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:503:eea3::30#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:503:eea3::30#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘98.207.34.5.in-addr.arpa/PTR/IN’: 2001:13c7:7002:3000::14#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘ppa.launchpad.net.dedi.leaseweb.net/A/IN’: 2607:f5b5::53#53
May 16 11:11:10 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:500:d937::30#53
May 16 11:11:10 s58462 saslauthd[742]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
May 16 11:11:10 s58462 saslauthd[742]: : auth failure: [user=fitri] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
May 16 11:11:10 s58462 postfix/smtpd[21423]: warning: unknown[5.34.207.98]: SASL LOGIN authentication failed: authentication failure
May 16 11:11:10 s58462 postfix/smtpd[23618]: connect from unknown[5.34.207.98]
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:503:83eb::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:502:7094::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:500:856e::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:503:83eb::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:503:d414::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:502:7094::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:503:231d::2:30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:500:856e::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:503:d2d::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:503:d414::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:503:231d::2:30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:503:d2d::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘www.peepso.com.dedi.leaseweb.net/A/IN’: 2607:f5b5::53#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘software.virtualmin.com/AAAA/IN’: 2001:503:39c1::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:502:8cc::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:503:a83e::2:30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘mirror.leaseweb.com/A/IN’: 2001:501:b1f9::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:502:8cc::30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:503:a83e::2:30#53
May 16 11:11:11 s58462 named[703]: network unreachable resolving ‘_http._tcp.software.virtualmin.com/SRV/IN’: 2001:501:b1f9::30#53
May 16 11:11:12 s58462 postfix/smtpd[21423]: disconnect from unknown[5.34.207.98] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

Pleas do
Forum Guidelines: Please read before posting! - Help! (Home for newbies) - Virtualmin Community

Sorry Jo, for the missed.

Ubuntu Linux 18.04.6
webmin v: 1.991 Usermin v: 1.840 Virtualmin v: 7.0-4 Pro
(All installed packages are up to date)

I guess it’s all of the same problem, because it happened all at once.
THE PUBLIC DNS CHECK A is ok for all website
I’m a really deep dummy ;/ so i didn’t try anything.

Many thanks for your sugestions

*I add here the journal of one of the 50 websites:

212.32.255.6 - - [16/May/2022:08:01:38 +0000] “HEAD / HTTP/1.0” 200 1144 “-” “Webmin”
212.32.255.6 - - [16/May/2022:08:01:38 +0000] “HEAD / HTTP/1.0” 200 6370 “-” “Webmin”
212.32.255.6 - - [16/May/2022:08:16:43 +0000] “HEAD / HTTP/1.0” 200 1144 “-” “Webmin”
212.32.255.6 - - [16/May/2022:08:16:43 +0000] “HEAD / HTTP/1.0” 200 6370 “-” “Webmin”
212.32.255.6 - - [16/May/2022:08:40:34 +0000] “HEAD / HTTP/1.0” 200 1144 “-” “Webmin”
212.32.255.6 - - [16/May/2022:09:16:57 +0000] “HEAD / HTTP/1.0” 200 6370 “-” “Webmin”
212.32.255.6 - - [16/May/2022:09:53:22 +0000] “HEAD / HTTP/1.0” 200 1144 “-” “Webmin”
212.32.255.6 - - [16/May/2022:10:29:45 +0000] “HEAD / HTTP/1.0” 200 1144 “-” “Webmin”
212.32.255.6 - - [16/May/2022:10:29:57 +0000] “HEAD / HTTP/1.0” 200 6370 “-” “Webmin”
212.32.255.6 - - [16/May/2022:11:07:17 +0000] “HEAD / HTTP/1.0” 200 6370 “-” “Webmin”
212.32.255.6 - - [16/May/2022:11:44:15 +0000] “HEAD / HTTP/1.0” 200 1144 “-” “Webmin”
212.32.255.6 - - [16/May/2022:11:44:25 +0000] “HEAD / HTTP/1.0” 200 6370 “-” “Webmin”
212.32.255.6 - - [16/May/2022:12:24:30 +0000] “HEAD / HTTP/1.0” 200 1144 “-” “Webmin”
212.32.255.6 - - [16/May/2022:12:24:45 +0000] “HEAD / HTTP/1.0” 200 6370 “-” “Webmin”

Trying to update a ssl key, i got this, if it helps to help me

" Validating configuration for eveil.press …
… errors were found, which will prevent Let’s Encrypt from issuing a certificate :

• BIND DNS domain : NS record host.universite.org. cannot be resolved to an IP address"

the domain are on “namecheap” and i don’t use “CloudFlare”
I trying to find help here but …

Thanks again

Your system cannot resolve any names. This has nothing to do with your domains (i.e. it doesn’t matter at all that your names are registered at Namecheap).

Are the DNS servers configured in /etc/resolv.conf sensible? If 127.0.0.1 is listed is named running on your system? Are other DNS servers listed there right?

The system absolutely has to have working DNS resolution for a whole lot of other things to work.

For your resolv.conf question, i found this ? ( or where can i check if it’s config " sensible"? please (The 127.0.0.“53” look’s like… strange no?)

Capture d’écran 2022-05-16 à 18.57.231350×606 88.8 KB

For the other DNS list :

Capture d’écran 2022-05-16 à 18.54.561840×390 30.1 KB

3 Others captures if it can help:

Capture d’écran 2022-05-16 à 18.33.441906×636 86 KB

Capture d’écran 2022-05-16 à 18.33.131876×712 88.5 KB

Capture d’écran 2022-05-16 à 18.32.451842×912 57 KB

Really sorry for my dummy state, Joe.

You use the DNS resolver bij resolv.conf of “leaseweb” your hoster, so please ask them for support.

If you want to edit and do it yourself they warn in that file, it should however be possible but first ask them

Is this after reboot?

Or is the box rebooted, if not you can try that but take care of backups.

Lot of VPS / Cloud hosters have dynamic resolv.conf file changing as there are changes in the network mostly by cloudinit or so.

Sometime Virtualmin or other Control panels could not handle this, and you have to “kind off” break out and do things manually yourself.

My advice however do this with help of hoster support while they know their resolv.conf needed.

Or something wrong virtualmin but then bug?? , 127.0.0.1 and 23.19.53.53 and 23.19.52.53 or did you or someone edited that file?

i am not sure about that…

127.0.0.53 is fine. It means you have a local caching resolver. Very common on modern systems. But, in this case, the local caching resolver won’t answer, so that’s a problem.

I don’t know why the Hostname and DNS Client page in Webmin shows something completely different from /etc/resolv.conf. I’m not sure how that could happen, since that’s the file Webmin gets it from.

Hy Joe,

The support service of my hoster respond et solve the problem.
it seems to be an attack.

Otherwise, I thank you very much for your help.
If you find or have seen any dangerous or incorrectly set technical details on the server or webmin,
please let me know so that I can try to minimize the risk of it happening again.

Thanks again Joe.
Stéphane

I’m copying you their message:
“”
Greetings,

Hello,

This is a notification of unauthorized uses of systems or networks.

On May 13, 2022, a total of 2 IP addresses from your networks
probed my servers for TCP open ports. Due to their dubious behavior, they
are suspected to be compromised botnet computers.

The log of TCP port scans is included below for your reference
(time zone is UTC). To prevent this mail from getting too big in size,
at most 5 attempts from each attacker IP are included. Those connection
attempts have all passed TCP’s 3-way handshake, so you can trust the source
IP addresses to be correct.

If you regularly collect IP traffic information of your network, you will see
the IPs listed connected to various TCP ports of my server at the time logged,
and I suspect that they also connected to TCP ports of many other IPs.

If a Linux system was at the attacker’s IP, you might want to use the
command “netstat -ntp” to list its active network connections. If there
is still some suspicious connection, find out what PID/program/user ID they
belong to. You might find something to help you solve this problem.

Please notify the victims (owners of those botnet computers) so that they
can take appropriate action to clean their computers, before even
more severe incidents, like data leakage, DDoS, and the rumored NSA spying
through hijacked botnets, arise. This also helps prevent botnets from
taking up your network bandwidth.

Chih-Cherng Chin
Daily Botnet Statistics

---- log of TCP port scans (time zone is UTC; sent to abuse@nl.leaseweb.com) ----

(time in UTC)=2022-05-13T10:17:44 (attacker’s IP)=212.32.255.6 (IP being scanned)=199^188^100^70 (TCP port being scanned)=25
(time in UTC)=2022-05-13T09:17:34 (attacker’s IP)=CENSORED (IP being scanned)=193^142^146^178 (TCP port being scanned)=445
(time in UTC)=2022-05-13T11:33:07 (attacker’s IP)=CENSORED (IP being scanned)=172^245^241^177 (TCP port being scanned)=445
(time in UTC)=2022-05-13T11:36:18 (attacker’s IP)=CENSORED (IP being scanned)=172^245^241^177 (TCP port being scanned)=445
(time in UTC)=2022-05-13T11:36:19 (attacker’s IP)=CENSORED (IP being scanned)=172^245^241^177 (TCP port being scanned)=445
(time in UTC)=2022-05-13T11:36:23 (attacker’s IP)=CENSORED (IP being scanned)=172^245^241^177 (TCP port being scanned)=445

You were likely hacked.
Do you have access to your second IP on server or not?
We tried to inform you about it on email, but you don’t read mails. ""

That’s a new issue (or, at least, it is a different issue than the original topic title or first post describes), please make a new topic.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.