[thelist] subdomain or dns hijacking problem
Max Schwanekamp
lists at neptunewebworks.com
Thu Dec 14 19:42:36 CST 2006
J.C. Johnson wrote:
> Hello knowledgeable folks. I need some help pinpointing a problem. I've got
> a dedicated (managed) server, with a standard LAMP setup with cpanel,
> hosting 50 or 60 sites. All the sites are under the same IP address. We've
> just discovered a problem where someone is hijacking subdomains off of one
> of our domains. These subdomains aren't set up through cpanel, and don't
> show up there. We can find no signs of them on the server, and no files that
> don't belong are present. In fact, if you trace the subdomains they come up
> under a different IP address altogether. So where everything on our server
> is under ww.xx.yyy.zz, these rogue subdomains are coming up under
> aa.bbb.cc.ddd. The addresses are all with a format of www.sub.domain.com. If
> you try to pull up sub.domain.com, it does not resolve to anything. If you
> pull up www.sub.domain.com it goes off to a server in Korea. domain.com or
> www.domain.com resolve to our server.
Is this the case for other users as well, or just for your local
machine? I'm guessing you've tested on other computers, so it sounds
like a compromised DNS. Is the DNS server for the domain(s) entirely
under your control? When you create subdomains in cPanel, it
auto-creates the www.sub.domain.tld entry as well as the regular
sub.domain.tld. So, perhaps your zone files have been modified? The
cPanel WHM "DNS Functions > Edit DNS Zone > [mydomain.com]" page AFAIK
just parses the zone file and thus should be accurate, but if you want
to be sure take a look at the zone files directly. On redhat, you'll
find them in /var/named with names like 'mydomain.com.db' -- on another
OS you may find them elsewhere.
Of course, if you find that your zone files are compromised, you likely
have a big ol' security problem that needs to be addressed immediately.
But really, if this is a *managed* dedicated server, you ought to just
contact the your server management provider for assistance.
Hope this is at least slightly useful.
--
Max Schwanekamp
NeptuneWebworks.com
More information about the thelist
mailing list