Thursday, July 28, 2016

FreeDNS / NameCheap DNS Servers Attacked / Hacked? Are your domain suddenly directed to 213.184.126.163 ?

UPDATE: following email correspondence with the hosting provider for the IP 213.184.126.163 they have taken down the server there till further notice. At least now users won't be redirected to phishing and malware websites.

Today we were alarmed to find out that our server domains are not resolved properly to their correct IP address but to an IP address we're not familiar with 213.184.126.163

The reason for this issue was that FreeDNS servers have responded with the wrong IP 213.184.126.163 instead of our real IP. To some people, this wrong IP cause a redirect to a malware website! Please comment here if you suffer from a similar issue.

While it seems that, at least in our case FreeDNS now responds properly, the malicious DNS entry has gotten a TTL (Time To Live) of 1 week which means that if the various domain name servers who received the wrong IP are actually obeying this TTL your website may be inaccessible for an entire week!

To check if your domain is resolved properly, you can use a service such as digwebinterface or whatsmydns to check quickly how different DNS worldwide resolve your domain. You can also use dig or nslookup to see quickly what a specific DNS replies.

In a chat with NameCheap they denied being hacked as their support supervisor wrote "I can assure you that our servers have not been hacked.". Well, if not hacked, have they done this on purpose? Getting many of their domains to point to a malware site? Do you smell a lawsuit coming?

Here's a bit of info about the IP used for this hack:

IP Address13.14.166
CityNess Ziona
State/RegionHaMerkaz
Country CodeIL
ISPNet-Style Atarim Ltd

 As for our own website I've posted this message on our forum: http://colnect.com/en/forum/viewtopic!f=6&t=68917&p=192078#p192078

Dear members,

UPDATE: we have posted on our blog about this issue as well.
UPDATE2: if you're on windows try to also launch ipconfig /flushdns from command prompt to ensure your computer is trying to fetch the correct DNS.
UPDATE3: we've updated more entries to the hosts file to ensure all our servers respond properly.


PLEASE SAVE THIS MESSAGE IF YOU SEE IT. If other Colnectors are having trouble please assist them.

DNS is a service that translates a domain name ( such as colnect.com ) to an IP address ( such as 148.251.247.10 which is our main IP ).
One of our DNS providers had problems on their servers. I suspect they've been hacked but are unaware of it. Thereby you may not see Colnect properly and instead get redirected somewhere else.

If this happens you can here are your options:

1/ Close your browser, wait a bit and try again. If it doesn't work then go ahead and flush your DNS cache. However, if your DNS provider didn't get updated yet you may need to follow the next steps.

2/ Update your hosts file manually (explanation) by adding these two lines:

148.251.247.10 colnect.com
148.251.247.9 s.colnect.net
148.251.247.9 i.colnect.net
148.251.247.11 nif.colnect.net


If you choose this option you may want to comment out these lines later as we plan to change IP for colnect.com in the coming days as we upgrade our server.

3/ Set your DNS servers to Google's own 8.8.8.8 and 8.8.4.4 - here's a guide


We are very sorry for this trouble. While their DNS now seems to work well, the bad records showing a different IP address might still be cached on other DNS providers.

Link and Search

Did you like reading it? Stay in the loop via RSS. Thanks :)