The status of security.ubuntu.com and its IPs - were they hacked or out of sync?

Some question on AskUbuntu light shed on strange behavior about security.ubuntu.com hostname or mirrors.

The output of apt-get update contained lines like

Err:1 Index of /ubuntu xenial-updates/main amd64 libavahi-common-data amd64 0.6.32~rc+dfsg-1ubuntu2.2
404 Not Found [IP: 91.189.88.161 80]

What I can see that this IP is owned by Canonical, but currently is shows Apache Welcome page:

and do not have /ubuntu folder with pool.

According to BGP HE report other mirrors have IPs:

  • 91.189.88.149
  • 91.189.88.162
  • 91.189.91.26
  • 91.189.88.161
  • 91.189.88.152
  • 91.189.91.23

and nslookup says the same:

$ nslookup security.ubuntu.com
Server:       127.0.1.1
Address:  127.0.1.1#53

Non-authoritative answer:
Name: security.ubuntu.com
Address: 91.189.88.161
Name: security.ubuntu.com
Address: 91.189.88.162
Name: security.ubuntu.com
Address: 91.189.91.23
Name: security.ubuntu.com
Address: 91.189.91.26
Name: security.ubuntu.com
Address: 91.189.88.149
Name: security.ubuntu.com
Address: 91.189.88.152

But only two IPs have /ubuntu folder:

  • 91.189.91.26
  • 91.189.91.23

Is it normal behavior or you were hacked?

I have no idea, honestly. Probably Canonical upgrading things.

Happened today with other AskUbunt user and 91.189.88.152 IP. The http://91.189.88.152/ubuntu returns 404.

But this host is a part of archive.ubuntu.com domainname:

$ nslookup archive.ubuntu.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	archive.ubuntu.com
Address: 91.189.88.162
Name:	archive.ubuntu.com
Address: 91.189.91.23
Name:	archive.ubuntu.com
Address: 91.189.88.149
Name:	archive.ubuntu.com
Address: 91.189.88.152
Name:	archive.ubuntu.com
Address: 91.189.88.161

Please fix your mirror architecture.

It’s perfectly normal for a server to show different content (a test page) when visited by IP only compared to when visited by a hostname. The server may only be configured to only return the contents of the /ubuntu folder when accessed by the hostname.

This is easily shown.

Temporarily change your /etc/hosts

alan@KinkPad-K450:~$ grep security /etc/hosts
91.189.88.161   security.ubuntu.com

Visit the url security.ubuntu.com/ubuntu - you will see:-

However, the best place to report issues, should you believe there to be one, is in #canonical-sysadmin irc channel on freenode. That’s seen by the right people. Alternatively contact the security team directly at #ubuntu-hardened on freenode irc.

2 Likes