tag:blogger.com,1999:blog-3417408127993138882.post5248972346744216225..comments2024-03-27T02:59:19.222+00:00Comments on Colnect, Connecting Collectors: FreeDNS / NameCheap DNS Servers Attacked / Hacked? Are your domain suddenly directed to 213.184.126.163 ?Unknownnoreply@blogger.comBlogger25125tag:blogger.com,1999:blog-3417408127993138882.post-22009065386256273812016-08-02T07:42:45.374+01:002016-08-02T07:42:45.374+01:00We've setup a temporary domain colnect.in/en -...We've setup a temporary domain colnect.in/en - see http://blog.colnect.com/2016/08/dns-problems-setting-up-temporary.htmlAmirhttps://www.blogger.com/profile/09571031693855279500noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-91190607151746763162016-08-01T23:23:55.332+01:002016-08-01T23:23:55.332+01:00So are there plans for the site to fix all of this...So are there plans for the site to fix all of this? It seems ridiculous for the layman to try and go through this laborious process. It needs to be so easy that a caveman can do it!Anonymoushttps://www.blogger.com/profile/16886125065078614890noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-63818753490023262642016-08-01T23:05:04.526+01:002016-08-01T23:05:04.526+01:00Perhaps this video will explain how to change one&...Perhaps this video will explain how to change one's hosts file - https://www.youtube.com/watch?v=wH25txgXlas<br /><br />Best mode of action if refreshing the browser doesn't work is to call your ISP (Internet Service Provider - the company you pay for Internet) and explain to them they should update their DNS cache or help you set Google DNS.Amirhttps://www.blogger.com/profile/09571031693855279500noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-57571683458623492232016-08-01T22:58:37.531+01:002016-08-01T22:58:37.531+01:00Isn't there something that the site can do? O...Isn't there something that the site can do? Or a fix that is easy enough that a caveman can do it? This is ridiculous!!!Anonymoushttps://www.blogger.com/profile/16886125065078614890noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-49663198991554593472016-08-01T17:51:04.669+01:002016-08-01T17:51:04.669+01:00This also affected several of my domains. My regis...This also affected several of my domains. My registrar and NameCheap control panel had not been compromised, so the issue has to be that NameCheap FreeDNS was hacked.Anonymoushttps://www.blogger.com/profile/06703346768243081803noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-29999930616184232082016-07-30T05:47:18.445+01:002016-07-30T05:47:18.445+01:00Ok, that makes sense, yes, in my case the actual e...Ok, that makes sense, yes, in my case the actual entry at provider level was changed.<br /><br />Trying to get my provider to send me the access logs for my control panels, they have proprietary control panels for setting DNS, 2 days and they kind of refuse which leads me to believe that they try to cover up.KOSTAS THE G®EEKhttps://www.blogger.com/profile/17095742199125846850noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-10232579841505891252016-07-30T05:19:13.207+01:002016-07-30T05:19:13.207+01:00This isn't what happened in our case. We kept ...This isn't what happened in our case. We kept having their correct servers listed all along such as FREEDNS1.REGISTRAR-SERVERS.COM<br /><br />For this to change at your registrar (NOT ISP, unless your ISP is your domain registrar), either someone broke into your account or your registrar has been hacked.<br /><br />There might have been some other process at works, as NameCheap kept claiming problems in an "upstream provider" of theirs. Perhaps someone managed to create a request to change their NS domains... Don't know.Amirhttps://www.blogger.com/profile/09571031693855279500noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-69346386840002231672016-07-30T05:09:53.202+01:002016-07-30T05:09:53.202+01:00I understand the background process, I dont get th...I understand the background process, I dont get the frontend problem, there is a textbox where i can enter and change the NS entry that is stored externally in my ISPs database, how did that one change to point to a another DNS server? Even if the authorative NS was poisoned, he has no control over what is entered on the ISP side, that is what i dont understand, when i discovered the problem, the NS entries at ISP level where changed to FREEDNS1.REGISTRAR-SERVERSV67EDS0Q.BIZ .<br /><br />What i dont understand is, how does the authorative NS can access any external entry that is stored and maintained on a different server with a different company?<br />KOSTAS THE G®EEKhttps://www.blogger.com/profile/17095742199125846850noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-18272620819343445192016-07-30T05:04:22.923+01:002016-07-30T05:04:22.923+01:00User X asks for domain example.com so his nameserv...User X asks for domain example.com so his nameserver (NS), on his ISP or whereverm checks if it already has it in the cache. If it doesn't, it checks with the registrar who's the authorative nameserver for this domain. It then asks for the domain info and caches it. As the authorative NS (FreeDNS) was poisoned with a bad entry for some time containing 1 week TTL, user A's NS may hold the poisoned entry in its cache for a week.<br />Hope it's clear now.Amirhttps://www.blogger.com/profile/09571031693855279500noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-76484966112049041472016-07-30T04:54:27.726+01:002016-07-30T04:54:27.726+01:00Yes, but the physical entry in the database hosted...Yes, but the physical entry in the database hosted somewhere else, how that can be changed externally? I dont get it.KOSTAS THE G®EEKhttps://www.blogger.com/profile/17095742199125846850noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-78103089925645244302016-07-30T04:28:31.260+01:002016-07-30T04:28:31.260+01:00NameCheap's own DNS servers (FreeDNS) returned...NameCheap's own DNS servers (FreeDNS) returned the wrong DNS entries for some time. These entries, leading to a malware website instead of your domain, had TTL of 1 week. Now they are still cached on some servers across the web even though (I hope) FreeDNS have fixed the problem in all of their domain.<br />I suggest you use nslookup or any of the links I've included above to check your DNS propagation across the web.Amirhttps://www.blogger.com/profile/09571031693855279500noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-42095708851807369382016-07-30T04:07:39.288+01:002016-07-30T04:07:39.288+01:00But how do they control entries that are hosted el...But how do they control entries that are hosted elsewhere? The entry itself is hosted at Inmotionhosting's dns servers, how would a external change the internal information stored in a database there? Maybe I am missing something.KOSTAS THE G®EEKhttps://www.blogger.com/profile/17095742199125846850noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-29045369537657959302016-07-30T04:05:15.671+01:002016-07-30T04:05:15.671+01:00Can someone shed some light here? My ISP tells me ...Can someone shed some light here? My ISP tells me that they did not change the NS entries, my accounts where not compromised, so how did they do it? Every ISP sets his NS servers separately right? Is there a level where they can manipulate it in a way that all entries to a certain NS are changed?<br /><br />Inmotionhosting declines that they where compromised, so, if my accounts where not compromised and their infrastructure where not compromised, how did the entries changed?KOSTAS THE G®EEKhttps://www.blogger.com/profile/17095742199125846850noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-7510159195154773112016-07-29T16:09:09.361+01:002016-07-29T16:09:09.361+01:00It was actually a change initiated from the Namech...It was actually a change initiated from the Namecheap FreeDNS side, they already admitted that. We also have registered our domain somewhere else.starssuckzhttps://www.blogger.com/profile/02879051958537508882noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-66626299693342641962016-07-29T11:10:12.632+01:002016-07-29T11:10:12.632+01:00UPDATE: following email correspondence with the ho...UPDATE: following email correspondence with the hosting provider for the IP 213.184.126.163 they have taken down the server there till further notice. At least now users won't be redirected to phishing and malware websites.Amirhttps://www.blogger.com/profile/09571031693855279500noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-17281701840371664732016-07-29T08:37:19.018+01:002016-07-29T08:37:19.018+01:00I forgot to mention, Inmotion is only the registar...I forgot to mention, Inmotion is only the registar, they point to namecheap and only the namecheap NS entries where affected.KOSTAS THE G®EEKhttps://www.blogger.com/profile/17095742199125846850noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-8384065247526094152016-07-29T08:24:00.070+01:002016-07-29T08:24:00.070+01:00same issue on my domain.....same issue on my domain.....Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-260805813926069522016-07-29T07:48:49.509+01:002016-07-29T07:48:49.509+01:00Same here, 8 domains where affected but they are h...Same here, 8 domains where affected but they are hosted by Inmotionhosting, so i assume their infrastructure was compromised too, they are not very much help and i assume they try to cover up.KOSTAS THE G®EEKhttps://www.blogger.com/profile/17095742199125846850noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-85325631594733276812016-07-29T06:43:32.473+01:002016-07-29T06:43:32.473+01:00I use Namecheap and have the same issue.I use Namecheap and have the same issue.Anonymoushttps://www.blogger.com/profile/07046688990379626490noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-42400173434076936602016-07-29T06:42:58.523+01:002016-07-29T06:42:58.523+01:00I am having the same issue.. :-(I am having the same issue.. :-(Anonymoushttps://www.blogger.com/profile/07046688990379626490noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-37104335106323235752016-07-29T03:49:56.548+01:002016-07-29T03:49:56.548+01:00Yeah, we noticed the same issue. Quite a few domai...Yeah, we noticed the same issue. Quite a few domains appear to be pointed to that IP, you can check here: https://www.virustotal.com/en/ip-address/213.184.126.163/information/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-79781032584955143932016-07-29T02:39:28.537+01:002016-07-29T02:39:28.537+01:00Just a correction of my horrible previous posting....Just a correction of my horrible previous posting. This "fake" DNS server does never return the correct IP address. The attackers used multiple servers to host the malware ("Flash Update") or some scripts displaying ads. it is a distributed attack. Among those, in our case 3 hosting servers returned was the fake DNS server itself, but it seems port 80 was closed for that machine. Same for another server hosted by rackspace. However, some server with the IP address 88.1988.29.121 is still online.<br /><br />Those were the 4 DNS servers we found in our DNS configuration, three return correct IP addresses at the moment:<br />FREEDNS1.REGISTRAR-SERVERSV67EDS0Q.BIZ-> 213.184.126.162 <- Still active 29.07.2016 3:04<br />freedns4.registrar-serversjr5115ey.biz [62.210.149.102] <- OK<br />freedns5.registrar-serversi65ekkdo.biz [192.99.40.34] <- OK<br />freedns2.registrar-serversc86eewyj.biz [72.20.38.137] <- OK<br />starssuckzhttps://www.blogger.com/profile/02879051958537508882noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-53349753309027601082016-07-28T20:06:42.428+01:002016-07-28T20:06:42.428+01:00This has happened to me too. The whois record for ...This has happened to me too. The whois record for my domain pointed to incorrect name servers, which have names that seem like phishing names similar to the real nameservers, e.g. FREEDNS1.REGISTRAR-SERVERSV67EDS0Q.BIZ (the correct nameserver is FREEDNS1.REGISTRAR-SERVERS.COM). Definitely looks like some kind of malicious hacking.<br />Since the incorrect info was reported in the whois record I was convinced that it was a problem with my registrar (Godaddy) but Namecheap has acknowledged the problem. They said that updating the registrar nameserver records would fix the issue.<br />I can't get my around how Namecheap may have gotten into whois records. Perhaps someone with better knowledge of how dns works could shed some light on this?<br />Anonymoushttps://www.blogger.com/profile/02992321092654679828noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-79320206870021828322016-07-28T19:00:38.946+01:002016-07-28T19:00:38.946+01:00My site, that use NameCheap services, suffer from ...My site, that use NameCheap services, suffer from that DNS redirect. I see bad records on OpenDNS.Anonymoushttps://www.blogger.com/profile/03773618394552590913noreply@blogger.comtag:blogger.com,1999:blog-3417408127993138882.post-19876962504849796512016-07-28T18:57:12.794+01:002016-07-28T18:57:12.794+01:00Same here, they seem to have introduced bogus DNS ...Same here, they seem to have introduced bogus DNS servers on the .com level.<br /><br />The IP address 213.184.126.163, which you are referred to is one of those DNS servers. If you query that server it will reply with multiple IP addresses. One of them is the real working one, but the majority is it's own IP address. Port 80 is closed on that server now, but the DNS port is still worrking. Just use nslookup, type server 213.184.126.163 and then query for something like yourdomainname.com.starssuckzhttps://www.blogger.com/profile/02879051958537508882noreply@blogger.com