On 2017-06-17, Maurice McCarthy <[email protected]> wrote: > On 17/06/17 09:27, Stuart Henderson wrote: >> On 2017-06-16, Maurice McCarthy <[email protected]> wrote: >> > Ooops! ... Well, I moved the .Xauthority file aside and restarted X to >> > create a new one. Obviously it has one line with my hostname in it. But >> > >> > $ xauth list >> > fresh.yem/unix:0 MIT-MAGIC-COOKIE-1 ... >> > advancedsearch.virginmedia.com:0 MIT-MAGIC-COOKIE-1 ... >> > >> > And only now did I notice that the magic cookie is identical for both >> > entries. This mystifies me. (BTW apparently Virgin has historically used >> > a bit of DNS hijacking so I bunged this line into /etc/hosts before >> > restarting X. >> > >> > 127.0.0.1 advancedsearch.virginmedia.com ) >> >> It'll be because of your hosts entry. Try xauth -n list instead. >> >> > > Ahhhh, I see. The hosts entry says that advancedsearch.virginmedia.com > is an alias for the local host. > > $ xauth -n list > fresh.yem/unix:0 MIT-MAGIC-COOKIE-1 ... > 81.200.64.50:0 MIT-MAGIC-COOKIE-1 ... > > So this tells me why I'm getting this list now. But that hosts entry was > only made _after I'd found virginmedia in the xauth list.
Hmm - I was expecting maybe 127.0.0.1 in there - it looks like 81.200.64.50 really is the address of advancedsearch.virginmedia.com. I don't know the full details of how X figures out which hosts to add there but I think one or other of these are involved, 1. looks like your local hostname is "fresh.yem", attempting to resolve that from VM DNS will hit their NXDOMAIN hijacking and return either 81.200.64.50 or a CNAME to advancedsearch.virginmedia.com or similar. 2. maybe something has done a reverse lookup for 127.0.0.1 and got advancedsearch.virginmedia.com from the hosts file, then done a forward lookup for advancedsearch.virginmedia.com and added access to the IP address resolved for it. Adding to /etc/hosts for things which you want to "block" is fairly common practice but I've never been a huge fan.. For this case where you're just working around the ISP resolver hijacking NXDOMAIN responses I'd usually take the workaround of running my own local recursive DNS server (e.g. unbound) and use that instead of the ISP's. Going back to the original question, I don't think it's an intrusion, just due to less-than-ideal things with the DNS setup. Also note that X doesn't normally listen to TCP anyway any more, this was changed around 2015. You would need to use the -listen flag, as well as remove the default firewall rules that block 6000:6010.
