[BlueOnyx:03942] Odd errors messages on BX this morning...

Darrell D. Mobley dmobley at uhostme.com
Thu Mar 11 11:16:13 -05 2010 

This morning, my BX server updated TZDATA via automated YUM update.

About 1 hour after getting on my work computer this morning, email
authentication to the server started failing.  I wondered if it was
experiencing a DDOS attack and went to log in via SSH to check it.  SSH
authentication failed.  I went to another server and tried to SSH into the
server and got this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for uhostme.com has changed,
and the key for the according IP address 208.77.219.101
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
9e:09:dd:50:24:75:23:2e:19:b3:55:87:4b:53:eb:76.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:4
RSA host key for uhostme.com has changed and you have requested strict
checking.
Host key verification failed.

That was not the correct IP for that domain.  I was able to log into the GUI
and changed the admin password, and was able to log in via SSH.  I changed
it back to what it was and it was still ok, and then email authentication
started working again.

Looking at the maillog, I found the authentication portion of my login
attempts that failed, and saw authentication connections attempted for
208.77.219.98, which is the correct IP and 208.77.219.101.  I looked into
the DNS configuration in the GUI and found entries for my basic DNS
autoconfig settings: domain.host, www.domain.host, mail.domain.host and
ftp.domain.host for BOTH IPs.  No wonder the authentication was confused!  

How did this happen?  Have I been sleep-typing after taking Ambien?

More information about the Blueonyx mailing list