Kidnapped! domain

A bit strange this one.

this VM does not get much attention (my fault) but was prompted by domain owner to look.

Everything appears to be up to date - so nothing to do with Webmin/Virtualmin updates.

I/domain owner has no idea how long this has been happening.

I have checked the DNS (external NS) and appear correct.
I can go into the VM and select the primary domain from the list.

can disable PHP (it was a php site)

the chrome browser (even after cache clear) even using a VPS still shows the hijacked site (displaying the domain for sale by sedo!)

I cannot see where it is acquiring traffic. the ip points to Germany when the true ip is in London.

the Sedo site (replacement) is only http yet the true site is https with a brand new certificate.

I have put inn a dummy index.html and using the “Preview Website” it shows my dummy file

further exam by DNS Lookup - Check All DNS Records for Any Domain shows lots of TXT records invalid MX etc (there are none of the actual DNS listed.

I am at a loss where else to look

is it the same worldwide?

Can I suggest that you verify the domain ownership and put 2FA on it, so at least if you control the domain then it will no go anywhere.

How many names servers are defined?

Also if a domains invoice/bill is not paid then some companies will put these placeholders up.

domain ownership was what I was trying to do.

I am having problems with 2FA on annothe VM ATM (thats a different question) so short term will not solve it.

5 at linode. all correct.
the NS displayed by that DNS checker site are wrong (hijacked)

bills paid by owner and up to date at the US provider. I have confirmed. the provider also has NS pointing to Linode.

This will establish the DNS request chain visually for you.

a favourite for me

Once you have access to the DNS chain, install DNSSEC

interesting - now to sit back and try to interpret it.

OK took the nuclear option (it was quicker)

• delete VPS
• create VPS
• reload from backup

everything looks ok, happy domain owner sedo

you could always compare the 2 backups and see where the hack was. As the entry vector might still be there.

I’m fast concluding it was somewhere in the nameserver chain, perhaps when the domain was transferred between registrars the original was with 1AND1 then moved to PORKBUN - so uk to us.

I just do not see any profit in chasing it further.

But thanks for the help.

Just curious, if the problem was external, eg name server chain, how come the nuclear option had any effect?

If recreating the VPS “fixed” the issue, then it wasn’t the DNS supply chain.

You can know if it’s DNS (do the A records point to your IP or not or are there any CNAME records pointing somewhere nefarious?). And, it doesn’t sound like it was DNS here.

The A records (MX and AAAA) were all correct on the DNS provider (LINODE) there were no CNAME there. and with the correct IP on the US.

however using those tools showed NS A AAAA all pointing to Koeln, Germany! the MX pointed to 127.0.0.1 (so complaining to Sedo a bit of a dead end)

That tool also showed multiple CNAMES and TXT records.

deletion of the VS (and rebuilding in Virtualmin (drastic measure I know) at least gives me new passwords and new SSH keys. the backup (day one) at least was clean (no external code) it is then down to the domain owner to bring it back to date. i don’t think it was much used anyway or I might have been more attentive. there are only 5 VS on this VM and the others seem unaffected.

so i am not going to chase rabbits

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.