Author
Message
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Get rid of a subdomain?
This is a strange one, and I'm hoping that someone here can help.

I help a nonprofit writer's group with their website. Last year, someone hacked the server where it was hosted and replaced most of our pages with keyword-laden spam pages. Exactly why I'm not sure, but perhaps as a way of inflating their rank in the SEs.

After this security problem, we changed hosts, and all seems to be fine at the new one. However, the person listed in the WHOIS records got home one night to find an agitated phone message from someone who had been to our site and had it attempt to install some kind of malware, and been redirected to a subdomain:

[annulment.kindlingwords.org]

He unfortunately left no number to call back, so we can't question him as to what happened. I suspect that the malware was already on his machine, and that IT directed him to the "annulment" subdomain. The page itself is garbage, but it does have links in the right column to actual sites, though cheesy ones.

We have since had several people with different types of computers check our site, and no one has had any problems. Our webmaster also checked the content of the site. There are no files there that shouldn't be.

Here is our site, if you want to check it out yourself:

[www.kindlingwords.org]

I believe that that "annulment" page may be related to the hacking last year and is on the server of the former web host. There may well be others, with different keywords as the subdomain.

We've contacted the former host, and they say they can't find it! So, what is going on? How can a subdomain of our site be in a location other than our site's current location? Wouldn't someone have to get that into the DNS system? Is there a way to trace back to where this page is actually located so it can be deleted? Has anyone had any similar experiences?

Thanks for any help or ideas.
December 21, 2007 05:16PM
GegaBit
Posts:3311
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
Hi Harold,
Sorry, I'm on my way out right now and don't have the time to write a full description, but I would do 2 things immediately:

1- From your dos command type
Ping domain.com
and ping subdomain.domain.com

and see if both resolve to the same IP

2- Have the new host do a complete check on your current files for virus and trojan horses

It is very possible that your guys copied the trouble pages along in the move to the new host, removing all and uploading one file at a time from backup would solve that.

sorry, gotta run.
December 21, 2007 05:32PM
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
Thanks, GB. I did the pinging, and got two quite different numbers. I plugged them in at arin.net and two different hosts came up, but they seemed to be companies in control of large blocks of IP addresses. How do you find out who controls a specific IP?

Re the way the files were copies over and checked, or not. I think we did all those things already but will check with the person who actually works with the files.



Edited 1 time(s). Last edit at 12/21/2007 06:35PM by Harold.
December 21, 2007 06:19PM
GegaBit
Posts:3311
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
Ok, I'm back.

>and got two quite different numbers

There's your problem.
The IP of the subdomain is hosted somewhere else, you need to check with the DNS owner of the subdomain IP, (most probably your old hosting co?) and ask them to remove their DNS record for the subdomain.
December 21, 2007 07:53PM
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
Aha.

Yes, I think that must be at the old host.

"remove their DNS record for the subdomain."

Magic words.
December 21, 2007 08:17PM
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
GB,

Is there any way for us to figure out if there are any other rogue subdomains out there, maybe even on another server?

What worries me is that this spammer might have other pages, squirreled away elsewhere, with our name on them.
December 21, 2007 08:37PM
GegaBit
Posts:3311
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
I see many subdomains:
[www.google.com]
meteos
thirty
gnostics
benzodiazepines
speakeasy
authers
afp
....

on IP 209.160.32.195

they should all be gone once the old hosting co removes all old records.
December 21, 2007 08:57PM
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
Wow, what a load of crap!

allinurl it most certainly is.

Thank you. This is very useful information and I hope this thread will be a resource for others. Not that I hope others will have this experience. I just think it's likely that someone will at some point.



Edited 1 time(s). Last edit at 12/21/2007 09:12PM by Harold.
December 21, 2007 09:08PM
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
I wonder how common this subdomain hijacking is, and how it's done?

Anyone know of any resources, or what I would search on at Google?
December 22, 2007 05:37AM
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
Interesting. I did a search on "subdomain hijacking" and up came a few forum discussions about situations much like ours. In one of them, someone posted a link to this article on Wikipedia:

[en.wikipedia.org]

I don't understand all of it, but I think I understand enough of it to confirm that this problem is caused by a security flaw at the hosting company, or even at the DNS level, not by something we did.
December 22, 2007 05:44AM
GegaBit
Posts:3311
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
The safest thing to do is to separate your DNS from your registrar and from your hosting.

i.e.
Register your domain with one company

buy DNS services from a company that does just that

host your site with a third company

or at the very least:

Register your domain and use the registrar's DNS
Host with another company

Problem spring from having the hosting company tae care of all 3 tasks, eggs in one basket.

Another problem is doing the above with cheap hosts, major trouble amplified.
December 22, 2007 11:10AM
Harold
Posts:2494
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
I didn't realize that hosting and DNS services could be separated like that.

We DID register the domain separately, but AFAIK the hosting and DNS are with the same company.

Will look into that. Would you agree that that Wikipedia article describes the situation?
December 22, 2007 02:09PM
GegaBit
Posts:3311
Senior member
Member since: 2006-11-30
:: Quote ::
Subject: Re: Get rid of a subdomain?
Sorry, I am not sure that this is the way they did it, it could be, but I'm no DNS expert.

It's ok having the DNS through the registrar, just as long as not every thing is at the control of one company.
December 22, 2007 03:02PM

Sorry, you do not have permission to post/reply in this forum.