[thelist] subdomain or dns hijacking problem

J.C. Johnson lead at offlead.com
Thu Dec 14 18:40:56 CST 2006

Hello knowledgeable folks. I need some help pinpointing a problem. I've got
a dedicated (managed) server, with a standard LAMP setup with cpanel,
hosting 50 or 60 sites. All the sites are under the same IP address. We've
just discovered a problem where someone is hijacking subdomains off of one
of our domains. These subdomains aren't set up through cpanel, and don't
show up there. We can find no signs of them on the server, and no files that
don't belong are present. In fact, if you trace the subdomains they come up
under a different IP address altogether. So where everything on our server
is under ww.xx.yyy.zz, these rogue subdomains are coming up under
aa.bbb.cc.ddd. The addresses are all with a format of www.sub.domain.com. If
you try to pull up sub.domain.com, it does not resolve to anything. If you
pull up www.sub.domain.com it goes off to a server in Korea. domain.com or
www.domain.com resolve to our server. 

If someone can help me determine how this is being accomplished, and how to
stop it, I would be very grateful. 


More information about the thelist mailing list