Some question on AskUbuntu light shed on strange behavior about security.ubuntu.com hostname or mirrors.
The output of apt-get update
contained lines like
Err:1 Index of /ubuntu xenial-updates/main amd64 libavahi-common-data amd64 0.6.32~rc+dfsg-1ubuntu2.2
404 Not Found [IP: 91.189.88.161 80]
What I can see that this IP is owned by Canonical , but currently is shows Apache Welcome page:
and do not have /ubuntu folder with pool.
According to BGP HE report other mirrors have IPs:
91.189.88.149
91.189.88.162
91.189.91.26
91.189.88.161
91.189.88.152
91.189.91.23
and nslookup
says the same:
$ nslookup security.ubuntu.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
Name: security.ubuntu.com
Address: 91.189.88.161
Name: security.ubuntu.com
Address: 91.189.88.162
Name: security.ubuntu.com
Address: 91.189.91.23
Name: security.ubuntu.com
Address: 91.189.91.26
Name: security.ubuntu.com
Address: 91.189.88.149
Name: security.ubuntu.com
Address: 91.189.88.152
But only two IPs have /ubuntu folder:
91.189.91.26
91.189.91.23
Is it normal behavior or you were hacked?
I have no idea, honestly. Probably Canonical upgrading things.
Happened today with other AskUbunt user and 91.189.88.152 IP. The http://91.189.88.152/ubuntu returns 404.
But this host is a part of archive.ubuntu.com
domainname:
$ nslookup archive.ubuntu.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: archive.ubuntu.com
Address: 91.189.88.162
Name: archive.ubuntu.com
Address: 91.189.91.23
Name: archive.ubuntu.com
Address: 91.189.88.149
Name: archive.ubuntu.com
Address: 91.189.88.152
Name: archive.ubuntu.com
Address: 91.189.88.161
Please fix your mirror architecture.
popey
April 15, 2019, 7:55pm
4
It’s perfectly normal for a server to show different content (a test page) when visited by IP only compared to when visited by a hostname. The server may only be configured to only return the contents of the /ubuntu folder when accessed by the hostname.
This is easily shown.
Temporarily change your /etc/hosts
alan@KinkPad-K450:~$ grep security /etc/hosts
91.189.88.161 security.ubuntu.com
Visit the url security.ubuntu.com/ubuntu - you will see:-
However, the best place to report issues, should you believe there to be one, is in #canonical-sysadmin irc channel on freenode. That’s seen by the right people. Alternatively contact the security team directly at #ubuntu-hardened on freenode irc.
2 Likes