toreonify's notes

Stuff happens - 02

One day I was searching for Linux-based workstations in Active Directory. And I found this: burlybank.domain.local. Huh?

ad-list

I tried a DNS lookup on this name and it returned an address. It opened up a printer web UI. But at the same time it said that this is a computer in domain.

ad-description

I found out that this computer was joined by one of the technicians. So I wrote them about this and they didn't knew how this happened. They confirmed that maybe someone experimented with Linux and it was a test machine.

Still, no one knew who typed this weird name or when it was generated.

Later, same year

Before publishing an updated ISO of ALT Linux with local patches and fixes, I always test it manually in a VM. On one of the attempts I press Next to proceed to network configuration in installer and voila! Randomly generated name appeared on screen. Gotcha!

After a while I found the script that was assigning hostnames after completing first install stage.

# 1. Remove all digits from beginning [RFC-952], relaxed in [RFC-1123, 2.1]
# 2. Remove all non-alphanumeric characters from hostname
#    (base64 generates [:alnum:],[+/=], only [:alnum:][-.] allowed)
# 3. Convert everything to lowercase.
PATTERN='s/^[0-9]*//g; s|[^[:alnum:]]||g; s/.*/\L&/g'

if [ ${#hostname} -gt 13 ]; then
   if command -v pwqgen >/dev/null; then
       hostname=$(pwqgen random=28 | sed -e "$PATTERN")
   else
       hostname=$(head -c 32 /dev/urandom | base64 | sed -e "$PATTERN" | cut -c1-13)
   fi
fi
subst "s/HOSTNAME=localhost.localdomain/HOSTNAME=$hostname/" "$CONFIG"
echo "$hostname" > "$CONFIG_SYSTEMD"

As you can see, it uses OpenWall password generator and strips unwanted characters. It only executes when generated name from CPU model and MAC address is greater than 13 characters and pwqgen is available.

My guess is that they installed the system when network wasn't available and it couldn't generate default name host-XXX, where XXX - last octet of IPv4 address. After that, they connected it to network and joined it as is. Later that address was reassigned by DHCP to a network printer, because that computer was never turned on again.

Phew, at first I thought it were hackers... glad it was that simple.

Thoughts? Leave a comment