45

I recently received the following message from Google Webmaster Tools:

Dear site owner or webmaster of http://gotgenes.com/,

[...]

Below are one or more example URLs on your site which may be part of a phishing attack:

http://repair.gotgenes.com/~elmsa/.your-account.php

[...]

What I don't understand is that I never had a subdomain repair.gotgenes.com, but visiting it in the web browser gives an actual website. My DNS is FreeDNS, which does not list a repair subdomain. My domain name is registered with GoDaddy, and the nameservers are correctly set to NS1.AFRAID.ORG, NS2.AFRAID.ORG, NS3.AFRAID.ORG, and NS4.AFRAID.ORG.

I have the following questions:

  1. Where is repair.gotgenes.com actually registered?
  2. How was it registered?
  3. What action can I take to have it removed from DNSs?
  4. How can I prevent this from happening in the future?

This is pretty disconcerting; I feel like my domain has been hijacked. Any help would be much appreciated.

2
  • 1
    Does your control panel have the power to control your DNS, like a lot of control panels do? If it does, that's where I'd be looking for the break in.
    – Oli
    Sep 13, 2012 at 22:05
  • 2
    He said he's using FreeDNS. I wouldn't expect everyone to be familiar with it, but it's not Hosting, has no "Control Panel", and the other answers are not only correct but have relevant details.
    – Chris S
    Sep 14, 2012 at 0:21

6 Answers 6

80

Sigh. I've had a few clients fall trap to this by using afraid.org as their DNS provider. Because they're free, they allow anyone who wants to to create subdomains off your primary domain, unless you specifically disallow it.

You can see here: https://freedns.afraid.org/domain/registry/?sort=5&q=gotgenes&submit=SEARCH that someone has created 79 subdomains off your primary domain.

Never. ever. ever. ever. use afraid.org for a website you care about.

7
  • 7
    Wow. Thanks for the info Mark, very useful, if scary or even reckless on the part of afraid.org. DNS is enough of a vector as it is, they really need to change this policy. +1
    – mcauth
    Sep 14, 2012 at 3:01
  • 5
    With free providers you do tend to get what you pay for. :) Sep 14, 2012 at 8:56
  • 3
    In this case, it sounds like you got even less than what you paid for. Sep 14, 2012 at 10:44
  • 1
    Do they give an explanation for why they have such a dangerous default behavior? Sep 14, 2012 at 13:51
  • 14
    This is how freedns works. They provide any person the ability to create a subdomain on thousands of other domains that are donated by others. This is what they do, pure and simple. Anyone who doesn't realize this clearly had no idea what they were doing when they signed up for freedns.
    – user606723
    Sep 14, 2012 at 14:55
14

If you want the domain to be for your use only, you need to configure it as such: http://freedns.afraid.org/queue/explanation.php

FreeDNS is, as others have mentioned, primarily a service for registering a hostname in one of a large selection of available domains; by adding a domain on FreeDNS you are, by default, adding to the set of domains available for anyone to use.

7
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
;; Received 509 bytes from 192.36.148.17#53(192.36.148.17) in 551 ms

gotgenes.com.       172800  IN  NS  ns1.afraid.org.
gotgenes.com.       172800  IN  NS  ns2.afraid.org.
gotgenes.com.       172800  IN  NS  ns3.afraid.org.
gotgenes.com.       172800  IN  NS  ns4.afraid.org.
;; Received 119 bytes from 2001:503:a83e::2:30#53(2001:503:a83e::2:30) in 395 ms

repair.gotgenes.com.    3600    IN  A   209.217.234.183
gotgenes.com.       3600    IN  NS  ns4.afraid.org.
gotgenes.com.       3600    IN  NS  ns1.afraid.org.
gotgenes.com.       3600    IN  NS  ns3.afraid.org.
gotgenes.com.       3600    IN  NS  ns2.afraid.org.
;; Received 227 bytes from 174.37.196.55#53(174.37.196.55) in 111 ms

I get the response from nsX.afraid.org - the same nameservers that are listed for your domain.

So I'd say that either

  • Your DNS account was hacked
  • You created a record you do not remember
  • An employee with your DNS host is corrupt
  • Your DNS host got hacked and records are created without you being able to see them.
2
  • 9
    It's not so much as been hacked, rather, the opened their entire company name open to abuse by using afraid.org which permits anyone to create a subdomain off your primary domain. Sep 14, 2012 at 0:27
  • 2
    I didn't even have the imagination to imagine that a DNS provider would do that. So I learned something new too, which is great :D Sep 16, 2012 at 9:18
1

By default your domain is set to be shared. That way anyone can add a subdomain of your domain. You can change it in the domains panel and click on the value next to "Shared:" and that should change it from Public > Private. If it doesn't it probably got hacked or something.

0

Someone hacked your nameserver. Check with whoever is your nameserver for the domain. The nameserver is defined on your account with the registrar.

1
  • 7
    "By design" != "hacked".
    – Andrew
    Sep 14, 2012 at 5:41
0

I am adding here a nuance to the answers already provided. Most people have pointed to a possible DNS issue. That is a valid point. Just another possibility is what's called Wildcard (or Catch-all) subdomains. You can set one up as part of your Advanced DNS Record edits as in the attached picture.

An example of details on wildcard subdomains is: namecheap dot com's support page on the topic.

Please note that in and of itself, the wildcard subdomain isn't bad, but when you start thinking spoofing of email addresses and fake web sites, it can be pretty serious.

enter image description here

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .