Hijacked DNS?
January 28, 2007 – 9:49 amToday I found that one of my domains was not displaying my website, but instead was showing visitors a list of Google AdWords sponsored links, and throwing malicious pop-under windows. I did a quick ping, nslookup and a whois query on it.
The ping replied from 66.45.237.187. Not my domain’s normal address.
The nslookup showed that address and three more:
- 64.20.43.107
- 66.45.232.66
- 66.45.232.75
None of these belong to my hosting provider. They all belong to InterServer, which seems to be a legitimate server leasing company. Pointing your browser at them, you see a sponsor site about mortgages.
So I call my hosting provider (MidPhase) to see if they were having any trouble. Nothing was wrong on their end so I started troubleshooting on my end. I brought up a remote desktop connection to my office workstation and the domain resolved fine over there, so it was clearly limited to my house.
I run a Win2K3 domain controller here in the house which also acts as our DNS server. I restarted the DNS service and cleared the DNS cache. After a few minutes, everything seems to be working normally again.
I’m a little baffled here. I ran a search for those IP addresses and I only found links to whois services, so I’m hoping that this entry will work it’s way into the search results in case anyone else ever encounters this problem. If anyone else has any info about this, please let me know.
One Response to “Hijacked DNS?”
I am experiencing the exact same problems, but from my internal LAN, whenever I ping a non existing name (e.g. ping doesnotexistforreal) I get replies from the 3 IP addresses that you mentioned.
Have you already found a solution for this problem?
By Victim2 on Feb 26, 2007