[thelist] subdomain or dns hijacking problem

[J.C. Johnson]

Thanks Max. I wasn't entirely sure where to start on this, having run
through the extent of my existing knowledge earlier this afternoon. Yes, one
would think I could just turn this issue over to my hosting company. That's
a discussion for a whole different thread, and we were already planning on
moving to another company at the first of the year. Looks like our timeline
is being moved up.

Yes, this issue is occurring from any machine. In fact, I learned of the
problem after being contacted by a law enforcement officer in another state
yesterday. It was only when I went looking for the rogue subdomains that
were supposedly on my machine that I discovered that they are not, in fact,
on my machine.

I've now looked at the zone file for this and other domains on my server. As
far as I can tell, it's all the way it is supposed to be. I see only entries
for mail, www and ftp, and then one entry for dev and one for www.dev, dev
being the only subdomain I've actually set up myself on that domain. The IP
address listed is correct for these entries.

Jeniffer



> -----Original Message-----
> From: Max Schwanekamp [mailto:lists at neptunewebworks.com]
> Sent: Thursday, December 14, 2006 7:43 PM
> To: lead at offlead.com; thelist at lists.evolt.org
> Subject: Re: [thelist] subdomain or dns hijacking problem
> 
> J.C. Johnson wrote:
> > Hello knowledgeable folks. I need some help pinpointing a problem. I've
> got
> > a dedicated (managed) server, with a standard LAMP setup with cpanel,
> > hosting 50 or 60 sites. All the sites are under the same IP address.
> We've
> > just discovered a problem where someone is hijacking subdomains off of
> one
> > of our domains. These subdomains aren't set up through cpanel, and don't
> > show up there. We can find no signs of them on the server, and no files
> that
> > don't belong are present. In fact, if you trace the subdomains they come
> up
> > under a different IP address altogether. So where everything on our
> server
> > is under ww.xx.yyy.zz, these rogue subdomains are coming up under
> > aa.bbb.cc.ddd. The addresses are all with a format of
> www.sub.domain.com. If
> > you try to pull up sub.domain.com, it does not resolve to anything. If
> you
> > pull up www.sub.domain.com it goes off to a server in Korea. domain.com
> or
> > www.domain.com resolve to our server.
> 
> Is this the case for other users as well, or just for your local
> machine?  I'm guessing you've tested on other computers, so it sounds
> like a compromised DNS.  Is the DNS server for the domain(s) entirely
> under your control?  When you create subdomains in cPanel, it
> auto-creates the www.sub.domain.tld entry as well as the regular
> sub.domain.tld.  So, perhaps your zone files have been modified?  The
> cPanel WHM "DNS Functions > Edit DNS Zone > [mydomain.com]" page AFAIK
> just parses the zone file and thus should be accurate, but if you want
> to be sure take a look at the zone files directly.  On redhat, you'll
> find them in /var/named with names like 'mydomain.com.db' -- on another
> OS you may find them elsewhere.
> 
> Of course, if you find that your zone files are compromised, you likely
> have a big ol' security problem that needs to be addressed immediately.
> 
> But really, if this is a *managed* dedicated server, you ought to just
> contact the your server management provider for assistance.
> 
> Hope this is at least slightly useful.
> 
> --
> Max Schwanekamp
> NeptuneWebworks.com