ISP Says My Server "Infected", Log Shows Weird NSLCD Stuff

I live in Taiwan and get this message from my ISP a few times a year.

親愛的用戶您好,因本公司接獲國家通訊傳播委員會資安通報平台通知,您的電腦曾於2021/8/12 10:21遭受惡意程式感染,逕而對外進行攻擊,為避免影響您的使用權益,請依資安通報平台建議措施執行,謝謝!!

【建議措施】:1. 檢視系統上有無不明帳號。2. 可以用終端機中nslookup指令確認附件IP的DNS服務是否開啟DNS Open Resolver。範例: 欲確認168.x.x.x是否開啟DNS Open Resolver,可用指令 nslookup 168.x.x.x,如果查詢有回答網路位址,表示有開啟。3. 系統上DNS服務若非必要,建議關閉,或是調整服務設定,限制遞迴查詢功能僅提供本地網域使用者

Google translate:

Hello, dear users, because our company has received a notification from the Information Security Notification Platform of the National Communications Commission that your computer was infected by malicious programs at 10:21 on 8/12/2021, and attacked directly to avoid affecting your Use rights, please follow the measures recommended by the information security notification platform, thank you!!

[Recommended measures]: 1. Check whether there is an unknown account on the system. 2. You can use the nslookup command in the terminal to confirm whether the DNS Open Resolver is enabled for the DNS service of the attached IP. Example: To confirm whether DNS Open Resolver is enabled on 168.x.x.x, you can use the command nslookup 168.x.x.x. If the query has an answer to the network address, it means it is enabled. 3. If the DNS service on the system is not necessary, it is recommended to turn off or adjust the service settings to restrict the recursive query function to only local domain users

So, I check the logs, at the time they mention, to see what they are talking about.
I have some curious things in the log…

Aug 12 10:20:51 arkadi nslcd[1127]: [39d7fc] <passwd="*"> request denied by validnames option

and later…

Aug 12 10:24:22 arkadi nslcd[1127]: [583f67] <passwd="*"> request denied by validnames option
Aug 12 10:28:09 arkadi slapd[1103]: <= mdb_substring_candidates: (mail) not indexed
Aug 12 10:28:09 arkadi slapd[1103]: <= mdb_substring_candidates: (mail) not indexed
Aug 12 10:28:29 arkadi nslcd[1127]: [102051] <passwd="*"> request denied by validnames option

Is this log entry something to be worried about? it seems to happen quite regularly on my system…every 5 minutes.

Are you sure the message is from your ISP ? Have you checked the from header with a mail client that display email and label ? If you know could you check the source of the email ?

Have you make some change in the firewall of yunohost ? Are you using pi-hole apps ?

Are you sure it’s your yunohost server and not an other device ?

  • For sure from my ISP. It redirects my connection to that page and won’t let me use the internet until I click “OK”.

  • Firewall: Opened ports on Yunohost

$ sudo yunohost firewall list
  - 25
  - 53
  - 67
  - 80
  - 443
  - 587
  - 791
  - 993
  - 2288
  - 2342
  - 3478
  - 3479
  - 4711
  - 5222
  - 5223
  - 5269
  - 5270
  - 5290
  - 5291
  - 5349
  - 5350
  - 5353
  - 8096
  - 9091
  - 49152:65535
  - 51413

On my router I don’t have port 53 open. I know that can be an issue with Pihole. I changed my ssh port to 2288.

  • I am using Pi-hole. I’m not using it as a DHCP server, but am using it as DNS server for all my computers on the network.

  • I’m not exactly sure it’s another device on my network.

Sounds like that log is not too much to be worried about. My ISP isn’t giving me more information about it, and they don’t bother me about it, so I guess I’ll keep on ignoring it.

So that nslcd message is not a bad omen of any sort?

After some research I think it’s not an important message, but i am not totally sure.

1 Like

I also have checked logs before and don’t really know what ISP is complaining about. I haven’t noticed anything weird so I’ll keep ignoring them until they give me more information.

Thanks for confirming my hunch.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.