Closed keldnorman closed 7 years ago
jensvoid
commented
7 years ago Did you provide the -h arguments when running LORG?
If so, reverse DNS lookups are made for all ip addresses connected to an attack. LORG however simply uses PHP's dns_get_record() which should only query your local nameserver (which probably ain't ns1.darkness-reigns.net).
Can you still reproduce the issue?
keldnorman
commented
7 years ago hm yes,
I had the -h on the command line
LORG_HTML="${LORG} -o html -d chars -d phpids -d dnsbl -d geoip -a all -c all -b all -n -u -h -g ${LOG_TO_PROCESS} ${HTML_FILE}" LORG_JSON="${LORG} -o json -d chars -d phpids -d dnsbl -d geoip -a all -c all -b all -n -u -h -g ${LOG_TO_PROCESS} ${JSON_FILE}" LORG_CSV="${LORG} -o csv -d chars -d phpids -d dnsbl -d geoip -a all -c all -b all -n -u -h -g ${LOG_TO_PROCESS} ${CSV_FILE}" LORG_XML="${LORG} -o xml -d chars -d phpids -d dnsbl -d geoip -a all -c all -b all -n -u -h -g ${LOG_TO_PROCESS} ${XML_FILE}"
I will try to run the script again without -h and see if it changes things. Thanks :)
-- Venlig hilsen/Best regards, Keld Norman
keld.norman@gmail.com
keldnorman
commented
7 years ago That fixed the problem. Thanks !
I am getting a lot of these when i run Lorg
netstat -an tcp 0 0 10.0.200.21:50796 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:15131 149.210.220.209:53 TIME_WAIT
tcp 0 0 10.0.200.21:61494 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:33973 149.210.220.191:53 TIME_WAIT
tcp 0 0 10.0.200.21:53600 149.210.220.209:53 TIME_WAIT
tcp 0 0 10.0.200.21:56394 149.210.220.191:53 TIME_WAIT
It looks like related to a site that is not there anymore: "ns1.darkness-reigns.net"
Do you have any idea of where Lorg gets that dns server from ? or if it is related to running LORG ?