The results of pi-hole are scary part II


#1

Hello there,

again my pi-resul scary me again.

i closed all port from internet on my internet box
and i see this on pi*hole :

11fc5df8.openresolverproject.org xe-0.telnetscanproject.org.dllstx09.us.bb.gin.ntt.net

i really not understand how i can get IP like this on my home network

it’s incredible !

if someone can please explain what that’s mean ?

thanks


#2

Port 53 open to the world?


#3

Please send us the token generated by

pihole -d

or do it through the Web interface:


#4

Check also if port 23 (Telnet) is open.


#5

Hello this the debug :

This process collects information from your Pi-hole, and optionally uploads it to a unique and random directory on tricorder.pi-hole.net.

The intent of this script is to allow users to self-diagnose their installations.  This is accomplished by running tests against our software and providing the user with links to FAQ articles when a problem is detected.  Since we are a small team and Pi-hole has been growing steadily, it is our hope that this will help us spend more time on development.

NOTE: All log files auto-delete after 48 hours and ONLY the Pi-hole developers can access your data via the given token. We have taken these extra steps to secure your data and will work to further reduce any personal information gathered.

*** [ INITIALIZING ]
[i] 2018-03-26:16:40:14 debug log has been initialized.

*** [ INITIALIZING ] Sourcing setup variables
[i] Sourcing /etc/pihole/setupVars.conf...

*** [ DIAGNOSING ]: Core version
[✓] Core: 
[i] Branch: master
[i] Commit: 80c3b93-dirty

*** [ DIAGNOSING ]: Web version

*** [ DIAGNOSING ]: FTL version
[✓] FTL: vDev- (https://discourse.pi-hole.net/t/how-do-i-update-pi-hole/249)

*** [ DIAGNOSING ]: dnsmasq version
[i] 2.72

*** [ DIAGNOSING ]: lighttpd version
[i] opt

*** [ DIAGNOSING ]: php version
[i] 5.6.33

*** [ DIAGNOSING ]: Operating system
[✓] Raspbian GNU/Linux 8 (jessie)

*** [ DIAGNOSING ]: SELinux
[i] SELinux not detected

*** [ DIAGNOSING ]: Processor

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
   192.168.50.50/24 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)

[✓] IPv6 address(es) bound to the eth0 interface:
   fe80::cf5d:8e0a:3135:4cd0 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)

   ^ Please note that you may have more than one IP address listed.
   As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for concern.

   The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check for it.

[i] Default IPv4 gateway: 192.168.50.254
   * Pinging 192.168.50.254...
[✓] Gateway responded.

*** [ DIAGNOSING ]: Ports in use
[] is in use by 
[11333] is in use by rspamd
[143] is in use by dovecot
[143] is in use by systemd
[] is in use by 
[] is in use by 
[22] is in use by sshd
[25] is in use by master
[3306] is in use by mysqld
[389] is in use by slapd
[4190] is in use by dovecot
[443] is in use by nginx
[465] is in use by master
[5222] is in use by lua5.1
[5269] is in use by lua5.1
[53] is in use by dnsmasq
[587] is in use by master
[80] is in use by lighttpd
[993] is in use by dovecot
[993] is in use by systemd
[9981] is in use by tvheadend
[9982] is in use by tvheadend
[11334] is in use by rspamd
[5290] is in use by lua5.1
[5582] is in use by lua5.1
[61209] is in use by glances
[6379] is in use by redis-ser
[6787] is in use by yunohost-

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] beta.adyea.com is 127.0.0.1 via localhost (127.0.0.1)
[✓] beta.adyea.com is 127.0.0.1 via Pi-hole (127.0.0.1)
[✓] doubleclick.com is 172.217.19.238 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Pi-hole processes
[✓] dnsmasq daemon is active
[✗] lighttpd daemon is unknown
[✓] pihole-FTL daemon is active

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=eth0
    IPV4_ADDRESS=127.0.0.1
    IPV6_ADDRESS=
    PIHOLE_DNS_1=
    PIHOLE_DNS_2=
    QUERY_LOGGING=true
    INSTALL_WEB=true

*** [ DIAGNOSING ]: Dashboard and block page
[✗] X-Header does not match or could not be retrieved.
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 26 Mar 2018 16:40:35 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://localhost/yunohost/admin

[✗] X-Header does not match or could not be retrieved.
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 26 Mar 2018 16:40:35 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://localhost/yunohost/admin


*** [ DIAGNOSING ]: Gravity list
-rw-r--r-- 1 root root 3983636 Mar 25 02:00 /etc/pihole/gravity.list
   -----head of gravity.list------
   127.0.0.1 0.0.0.0
   127.0.0.1 0000mps.webpreview.dsl.net
   127.0.0.1 0001.2waky.com
   127.0.0.1 000dom.revenuedirect.com

   -----tail of gravity.list------
   127.0.0.1 zzsyw.com
   127.0.0.1 zztxdown.com
   127.0.0.1 zzz.clickbank.net
   127.0.0.1 zz.zeroredirect1.com

*** [ DIAGNOSING ]: contents of /etc/pihole

-rw-r--r-- 1 root root 633 Mar 24 23:07 /etc/pihole/adlists.list
   https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
   https://mirror1.malwaredomains.com/files/justdomains
   http://sysctl.org/cameleon/hosts
   https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
   https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
   https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
   https://hosts-file.net/ad_servers.txt

-rw-r--r-- 1 root root 37 Mar 25 02:00 /etc/pihole/local.list
   127.0.0.1 domaine.fr
   127.0.0.1 pi.hole

-rw-r--r-- 1 root root 206 Mar 24 23:03 /etc/pihole/logrotate
   /var/log/pihole.log {
   	daily
   	copytruncate
   	rotate 5
   	compress
   	delaycompress
   	notifempty
   	nomail
   }
   /var/log/pihole-FTL.log {
   	weekly
   	copytruncate
   	rotate 3
   	compress
   	delaycompress
   	notifempty
   	nomail
   }

-rw-r--r-- 1 root root 117 Mar 24 23:07 /etc/pihole/whitelist.txt
   raw.githubusercontent.com
   mirror1.malwaredomains.com
   sysctl.org
   zeustracker.abuse.ch
   s3.amazonaws.com
   hosts-file.net

*** [ DIAGNOSING ]: contents of /etc/dnsmasq.d

-rw-r--r-- 1 root root 1514 Mar 24 23:34 /etc/dnsmasq.d/01-pihole.conf
   addn-hosts=/etc/pihole/gravity.list
   addn-hosts=/etc/pihole/black.list
   addn-hosts=/etc/pihole/local.list
   domain-needed
   localise-queries
   bogus-priv
   server=
   server=
   interface=eth0
   cache-size=10000
   log-queries
   log-facility=/var/log/pihole.log
   local-ttl=2
   log-async

*** [ DIAGNOSING ]: contents of /etc/lighttpd
/etc/lighttpd does not exist.

*** [ DIAGNOSING ]: contents of /etc/cron.d

-rw-r--r-- 1 root root 1500 Mar 24 23:07 /etc/cron.d/pihole
   59 1    * * 7   root    PATH="$PATH:/usr/local/bin/" pihole updateGravity
   00 00   * * *   root    PATH="$PATH:/usr/local/bin/" pihole flush once quiet
   @reboot root /usr/sbin/logrotate /etc/pihole/logrotate

*** [ DIAGNOSING ]: contents of /var/log/lighttpd
/var/log/lighttpd does not exist.

*** [ DIAGNOSING ]: contents of /var/log

-rw-r--r-- 1 pihole pihole 157476 Mar 26 16:35 /var/log/pihole-FTL.log
   [2018-03-26 00:00:05.544] Gravity list entries: 122287
   [2018-03-26 00:00:05.545] No blacklist present
   [2018-03-26 00:00:05.545] No wildcard blocking list present
   [2018-03-26 00:00:05.545] Reading from /var/log/pihole.log.1 (rw-r--r--)
   [2018-03-26 00:00:05.545] Notice: Increasing queries struct size from 0 to 10000 (320.39 KB)
   [2018-03-26 00:00:05.545] Notice: Increasing overTime struct size from 0 to 100 (324.39 KB)
   [2018-03-26 00:00:05.545] Notice: Increasing forwarded struct size from 0 to 4 (324.47 KB)
   [2018-03-26 00:00:05.586] New forward server: 80.67.169.12 ns0.fdn.org (0/4)
   [2018-03-26 00:00:05.587] Notice: Increasing domains struct size from 0 to 1000 (344.49 KB)
   [2018-03-26 00:00:05.587] Notice: Increasing clients struct size from 0 to 10 (344.68 KB)
   [2018-03-26 00:00:05.587] New client: 127.0.0.1 localhost (0/10)
   [2018-03-26 00:00:05.652] New forward server: 80.67.169.40 ns1.fdn.org (1/4)
   [2018-03-26 00:00:05.656] New client: 192.168.50.49 (1/10)
   [2018-03-26 00:00:05.661] New client: 192.168.50.51 (2/10)
   [2018-03-26 00:00:05.663] New client: 74.82.47.50 scan-09l.shadowserver.org (3/10)
   [2018-03-26 00:00:05.673] New client: 192.168.50.47 (4/10)
   [2018-03-26 00:00:05.679] New client: 129.250.206.86 xe-0.telnetscanproject.org.dllstx09.us.bb.gin.ntt.net (5/10)
   [2018-03-26 00:00:05.689] New client: 192.168.50.52 (6/10)
   [2018-03-26 00:00:05.708] New client: 192.168.50.56 (7/10)
   [2018-03-26 00:00:05.851] New client: 192.168.50.12 (8/10)
   [2018-03-26 00:00:06.351] Notice: Increasing queries struct size from 10000 to 20000 (686.82 KB)
   [2018-03-26 00:00:06.700] Notice: Increasing domains struct size from 1000 to 2000 (711.68 KB)
   [2018-03-26 00:00:06.785] New client: 192.168.50.43 (9/10)
   [2018-03-26 00:00:06.812] Notice: Increasing clients struct size from 10 to 20 (713.35 KB)
   [2018-03-26 00:00:07.074] Notice: Increasing queries struct size from 20000 to 30000 (1.04 MB)

*** [ DIAGNOSING ]: Pi-hole log
-rw-r--r-- 1 dnsmasq root 1797796505 Mar 26 16:40 /var/log/pihole.log
   -----head of pihole.log------
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 12.169.67.80.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: forwarded 12.169.67.80.in-addr.arpa to 80.67.169.12
   Mar 26 00:00:05 dnsmasq[751]: forwarded 12.169.67.80.in-addr.arpa to 80.67.169.40
   Mar 26 00:00:05 dnsmasq[751]: reply 80.67.169.12 is ns0.fdn.org
   Mar 26 00:00:05 dnsmasq[751]: reply 80.67.169.12 is ns0.fdn.fr
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 40.169.67.80.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: forwarded 40.169.67.80.in-addr.arpa to 80.67.169.12
   Mar 26 00:00:05 dnsmasq[751]: reply 80.67.169.40 is ns1.fdn.org
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 49.50.168.192.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: config 192.168.50.49 is NXDOMAIN
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 51.50.168.192.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: config 192.168.50.51 is NXDOMAIN
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 47.50.168.192.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: config 192.168.50.47 is NXDOMAIN
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 52.50.168.192.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: config 192.168.50.52 is NXDOMAIN
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 56.50.168.192.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: config 192.168.50.56 is NXDOMAIN
   Mar 26 00:00:05 dnsmasq[751]: query[PTR] 12.50.168.192.in-addr.arpa from 127.0.0.1
   Mar 26 00:00:05 dnsmasq[751]: config 192.168.50.12 is NXDOMAIN

and i bloc all port from my internet box :

i do some scan ip :



#6

Can you try a pihole -r > Repair?


#7

i do that :

root@domaine:~# pihole -r

  [✓] Root user check

        .;;,.
        .ccccc:,.
         :cccclll:.      ..,,
          :ccccclll.   ;ooodc
           'ccll:;ll .oooodc
             .;cll.;;looo:.
                 .. ','.
                .',,,,,,'.
              .',,,,,,,,,,.
            .',,,,,,,,,,,,....
          ....''',,,,,,,'.......
        .........  ....  .........
        ..........      ..........
        ..........      ..........
        .........  ....  .........
          ........,,,,,,,'......
            ....',,,,,,,,,,,,.
               .',,,,,,,,,'.
                .',,,,,,'.
                  ..'''.

  [i] Repair option selected
  [✓] Disk space check

  [✓] Update local cache of available packages

  [✓] Checking apt-get for upgraded packages... up to date!

  [i] Installer Dependency checks...
  [✓] Checking for apt-utils
  [✓] Checking for dialog
  [✓] Checking for debconf
  [✓] Checking for dhcpcd5
  [✓] Checking for git
  [✓] Checking for iproute2
  [✓] Checking for whiptail

  [i] Performing reconfiguration, skipping download of local repos
  [✓] Resetting repository within /etc/.pihole...
  Unable to reset /var/www/html/admin, exiting installer

#8
sudo rm -rf /var/www/html/admin
sudo git clone https://github.com/pi-hole/AdminLTE.git /var/www/html/admin