Thursday, July 28, 2016

FreeDNS / NameCheap DNS Servers Attacked / Hacked? Are your domain suddenly directed to 213.184.126.163 ?

UPDATE: following email correspondence with the hosting provider for the IP 213.184.126.163 they have taken down the server there till further notice. At least now users won't be redirected to phishing and malware websites.

Today we were alarmed to find out that our server domains are not resolved properly to their correct IP address but to an IP address we're not familiar with 213.184.126.163

The reason for this issue was that FreeDNS servers have responded with the wrong IP 213.184.126.163 instead of our real IP. To some people, this wrong IP cause a redirect to a malware website! Please comment here if you suffer from a similar issue.

While it seems that, at least in our case FreeDNS now responds properly, the malicious DNS entry has gotten a TTL (Time To Live) of 1 week which means that if the various domain name servers who received the wrong IP are actually obeying this TTL your website may be inaccessible for an entire week!

To check if your domain is resolved properly, you can use a service such as digwebinterface or whatsmydns to check quickly how different DNS worldwide resolve your domain. You can also use dig or nslookup to see quickly what a specific DNS replies.

In a chat with NameCheap they denied being hacked as their support supervisor wrote "I can assure you that our servers have not been hacked.". Well, if not hacked, have they done this on purpose? Getting many of their domains to point to a malware site? Do you smell a lawsuit coming?

Here's a bit of info about the IP used for this hack:

IP Address13.14.166
CityNess Ziona
State/RegionHaMerkaz
Country CodeIL
ISPNet-Style Atarim Ltd

 As for our own website I've posted this message on our forum: http://colnect.com/en/forum/viewtopic!f=6&t=68917&p=192078#p192078

Dear members,

UPDATE: we have posted on our blog about this issue as well.
UPDATE2: if you're on windows try to also launch ipconfig /flushdns from command prompt to ensure your computer is trying to fetch the correct DNS.
UPDATE3: we've updated more entries to the hosts file to ensure all our servers respond properly.


PLEASE SAVE THIS MESSAGE IF YOU SEE IT. If other Colnectors are having trouble please assist them.

DNS is a service that translates a domain name ( such as colnect.com ) to an IP address ( such as 148.251.247.10 which is our main IP ).
One of our DNS providers had problems on their servers. I suspect they've been hacked but are unaware of it. Thereby you may not see Colnect properly and instead get redirected somewhere else.

If this happens you can here are your options:

1/ Close your browser, wait a bit and try again. If it doesn't work then go ahead and flush your DNS cache. However, if your DNS provider didn't get updated yet you may need to follow the next steps.

2/ Update your hosts file manually (explanation) by adding these two lines:

148.251.247.10 colnect.com
148.251.247.9 s.colnect.net
148.251.247.9 i.colnect.net
148.251.247.11 nif.colnect.net


If you choose this option you may want to comment out these lines later as we plan to change IP for colnect.com in the coming days as we upgrade our server.

3/ Set your DNS servers to Google's own 8.8.8.8 and 8.8.4.4 - here's a guide


We are very sorry for this trouble. While their DNS now seems to work well, the bad records showing a different IP address might still be cached on other DNS providers.

25 comments:

  1. Same here, they seem to have introduced bogus DNS servers on the .com level.

    The IP address 213.184.126.163, which you are referred to is one of those DNS servers. If you query that server it will reply with multiple IP addresses. One of them is the real working one, but the majority is it's own IP address. Port 80 is closed on that server now, but the DNS port is still worrking. Just use nslookup, type server 213.184.126.163 and then query for something like yourdomainname.com.

    ReplyDelete
  2. My site, that use NameCheap services, suffer from that DNS redirect. I see bad records on OpenDNS.

    ReplyDelete
  3. This has happened to me too. The whois record for my domain pointed to incorrect name servers, which have names that seem like phishing names similar to the real nameservers, e.g. FREEDNS1.REGISTRAR-SERVERSV67EDS0Q.BIZ (the correct nameserver is FREEDNS1.REGISTRAR-SERVERS.COM). Definitely looks like some kind of malicious hacking.
    Since the incorrect info was reported in the whois record I was convinced that it was a problem with my registrar (Godaddy) but Namecheap has acknowledged the problem. They said that updating the registrar nameserver records would fix the issue.
    I can't get my around how Namecheap may have gotten into whois records. Perhaps someone with better knowledge of how dns works could shed some light on this?

    ReplyDelete
  4. Just a correction of my horrible previous posting. This "fake" DNS server does never return the correct IP address. The attackers used multiple servers to host the malware ("Flash Update") or some scripts displaying ads. it is a distributed attack. Among those, in our case 3 hosting servers returned was the fake DNS server itself, but it seems port 80 was closed for that machine. Same for another server hosted by rackspace. However, some server with the IP address 88.1988.29.121 is still online.

    Those were the 4 DNS servers we found in our DNS configuration, three return correct IP addresses at the moment:
    FREEDNS1.REGISTRAR-SERVERSV67EDS0Q.BIZ-> 213.184.126.162 <- Still active 29.07.2016 3:04
    freedns4.registrar-serversjr5115ey.biz [62.210.149.102] <- OK
    freedns5.registrar-serversi65ekkdo.biz [192.99.40.34] <- OK
    freedns2.registrar-serversc86eewyj.biz [72.20.38.137] <- OK

    ReplyDelete
  5. Yeah, we noticed the same issue. Quite a few domains appear to be pointed to that IP, you can check here: https://www.virustotal.com/en/ip-address/213.184.126.163/information/

    ReplyDelete
  6. Same here, 8 domains where affected but they are hosted by Inmotionhosting, so i assume their infrastructure was compromised too, they are not very much help and i assume they try to cover up.

    ReplyDelete
    Replies
    1. I forgot to mention, Inmotion is only the registar, they point to namecheap and only the namecheap NS entries where affected.

      Delete
    2. It was actually a change initiated from the Namecheap FreeDNS side, they already admitted that. We also have registered our domain somewhere else.

      Delete
    3. But how do they control entries that are hosted elsewhere? The entry itself is hosted at Inmotionhosting's dns servers, how would a external change the internal information stored in a database there? Maybe I am missing something.

      Delete
  7. same issue on my domain.....

    ReplyDelete
  8. UPDATE: following email correspondence with the hosting provider for the IP 213.184.126.163 they have taken down the server there till further notice. At least now users won't be redirected to phishing and malware websites.

    ReplyDelete
  9. Can someone shed some light here? My ISP tells me that they did not change the NS entries, my accounts where not compromised, so how did they do it? Every ISP sets his NS servers separately right? Is there a level where they can manipulate it in a way that all entries to a certain NS are changed?

    Inmotionhosting declines that they where compromised, so, if my accounts where not compromised and their infrastructure where not compromised, how did the entries changed?

    ReplyDelete
    Replies
    1. NameCheap's own DNS servers (FreeDNS) returned the wrong DNS entries for some time. These entries, leading to a malware website instead of your domain, had TTL of 1 week. Now they are still cached on some servers across the web even though (I hope) FreeDNS have fixed the problem in all of their domain.
      I suggest you use nslookup or any of the links I've included above to check your DNS propagation across the web.

      Delete
    2. Yes, but the physical entry in the database hosted somewhere else, how that can be changed externally? I dont get it.

      Delete
  10. User X asks for domain example.com so his nameserver (NS), on his ISP or whereverm checks if it already has it in the cache. If it doesn't, it checks with the registrar who's the authorative nameserver for this domain. It then asks for the domain info and caches it. As the authorative NS (FreeDNS) was poisoned with a bad entry for some time containing 1 week TTL, user A's NS may hold the poisoned entry in its cache for a week.
    Hope it's clear now.

    ReplyDelete
  11. I understand the background process, I dont get the frontend problem, there is a textbox where i can enter and change the NS entry that is stored externally in my ISPs database, how did that one change to point to a another DNS server? Even if the authorative NS was poisoned, he has no control over what is entered on the ISP side, that is what i dont understand, when i discovered the problem, the NS entries at ISP level where changed to FREEDNS1.REGISTRAR-SERVERSV67EDS0Q.BIZ .

    What i dont understand is, how does the authorative NS can access any external entry that is stored and maintained on a different server with a different company?

    ReplyDelete
  12. This isn't what happened in our case. We kept having their correct servers listed all along such as FREEDNS1.REGISTRAR-SERVERS.COM

    For this to change at your registrar (NOT ISP, unless your ISP is your domain registrar), either someone broke into your account or your registrar has been hacked.

    There might have been some other process at works, as NameCheap kept claiming problems in an "upstream provider" of theirs. Perhaps someone managed to create a request to change their NS domains... Don't know.

    ReplyDelete
  13. Ok, that makes sense, yes, in my case the actual entry at provider level was changed.

    Trying to get my provider to send me the access logs for my control panels, they have proprietary control panels for setting DNS, 2 days and they kind of refuse which leads me to believe that they try to cover up.

    ReplyDelete
  14. This also affected several of my domains. My registrar and NameCheap control panel had not been compromised, so the issue has to be that NameCheap FreeDNS was hacked.

    ReplyDelete
  15. Isn't there something that the site can do? Or a fix that is easy enough that a caveman can do it? This is ridiculous!!!

    ReplyDelete
  16. Perhaps this video will explain how to change one's hosts file - https://www.youtube.com/watch?v=wH25txgXlas

    Best mode of action if refreshing the browser doesn't work is to call your ISP (Internet Service Provider - the company you pay for Internet) and explain to them they should update their DNS cache or help you set Google DNS.

    ReplyDelete
  17. So are there plans for the site to fix all of this? It seems ridiculous for the layman to try and go through this laborious process. It needs to be so easy that a caveman can do it!

    ReplyDelete
  18. We've setup a temporary domain colnect.in/en - see http://blog.colnect.com/2016/08/dns-problems-setting-up-temporary.html

    ReplyDelete

We welcome comments to our blog post but MANUALLY verify each comment. Spam comments will be reported. When asking for an answer on anything Colnect related, please use Colnect's forums. Thanks and happy Colnecting :)

Link and Search

Did you like reading it? Stay in the loop via RSS. Thanks :)