[thelist] subdomain or dns hijacking problem

Max Schwanekamp lists at neptunewebworks.com
Thu Dec 14 19:42:36 CST 2006

J.C. Johnson wrote:
> Hello knowledgeable folks. I need some help pinpointing a problem. I've got
> a dedicated (managed) server, with a standard LAMP setup with cpanel,
> hosting 50 or 60 sites. All the sites are under the same IP address. We've
> just discovered a problem where someone is hijacking subdomains off of one
> of our domains. These subdomains aren't set up through cpanel, and don't
> show up there. We can find no signs of them on the server, and no files that
> don't belong are present. In fact, if you trace the subdomains they come up
> under a different IP address altogether. So where everything on our server
> is under ww.xx.yyy.zz, these rogue subdomains are coming up under
> aa.bbb.cc.ddd. The addresses are all with a format of www.sub.domain.com. If
> you try to pull up sub.domain.com, it does not resolve to anything. If you
> pull up www.sub.domain.com it goes off to a server in Korea. domain.com or
> www.domain.com resolve to our server. 

Is this the case for other users as well, or just for your local 
machine?  I'm guessing you've tested on other computers, so it sounds 
like a compromised DNS.  Is the DNS server for the domain(s) entirely 
under your control?  When you create subdomains in cPanel, it 
auto-creates the www.sub.domain.tld entry as well as the regular 
sub.domain.tld.  So, perhaps your zone files have been modified?  The 
cPanel WHM "DNS Functions > Edit DNS Zone > [mydomain.com]" page AFAIK 
just parses the zone file and thus should be accurate, but if you want 
to be sure take a look at the zone files directly.  On redhat, you'll 
find them in /var/named with names like 'mydomain.com.db' -- on another 
OS you may find them elsewhere.

Of course, if you find that your zone files are compromised, you likely 
have a big ol' security problem that needs to be addressed immediately.

But really, if this is a *managed* dedicated server, you ought to just 
contact the your server management provider for assistance.

Hope this is at least slightly useful.

Max Schwanekamp

More information about the thelist mailing list