nuseek.com hacking/hijacking my DNS/nameservers?
Results 1 to 6 of 6

Thread: nuseek.com hacking/hijacking my DNS/nameservers?

  1. #1
    Junior Member
    Join Date
    Apr 2008
    Posts
    2

    Question nuseek.com hacking/hijacking my DNS/nameservers?

    Having recently transferred a domain name from BT, to 123-reg (where I already have nearly 80 other domains), one of my client's domain name seems to have somehow been hacked/hijacked by nuseek.com to be replaced occasionally by a link farm.

    The website is hosted on a VPS server (where I have a bunch of other domains without a problem). There’s not been any PHP or SQL uploads, and no other website on the VPS is affected.

    Similarly, I've scanned three computers encountering the problem, and all have come back clean of viruses, etc.

    Essentially, when someone types in my client's domain www.puritypoledancing.com, quite often (but not all the time), the site appears to be a link farm, all with appropriate links based on the domain name (ie belly dancing, etc.), and a picture of some blonde woman with a rucksack (of which the image is hosted on nuseek.com). However, this link farm has nothing to do with the actual pole dancing website (which has a picture of a pole dancer, and various standard internal links to getting classes, gallery, etc.), and has nothing to do with me either.

    All the DNS settings on both the domain control, and the VPS are showing as they should (and just like all the others hosted with the same domain name reseller & VPS).

    The problem appears to come and go, so when I think I've ‘fixed it’, or when my VPS provider, or domain provider 'claim' to have resolved it (ie by trying to reset the DNS again, etc.), a few days, or a week later, the link farm appears again in the same way, and all the tertiary domains (ie the domain’s mail, etc) are also blocked and replaced by the link farm.

    So far, my searches around the web don't seem to prove too fruitful. As far as I can gather, it seems nuseek.com have hacked/hijacked loads of websites late last year: http://www.techworld.com/security/ne...S&NewsID=10798

    I’m also finding other people who agree that the link farm is just skimming off traffic temporarily at various times of the day/week, as I've experienced, without taking permanent control of the domain.

    I'm finding that depending which ISP I'm using at the time (ie if I symultaniously look at the site through two ISPs), one picks up the link farm, the other picks up the real site.

    So I assume it must be something down to the nameserver or DNS settings, as these can take a few days to propagate around the web (ie hence why two ISPs would see different sites) rather than of course html updates which are instant.

    So has anyone come across this type of thing before, and can anyone suggest how I can get around it and stop it happening again, when all the nameserver, DNS, and domain whois records show the site as it should be?

    I look forward to trying to find an answer so I can stop this incredibly annoying (but strangely impressive) challenge!

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Ugh, DNS issues can be pretty complicated. We ran into a slew of them
    with our VPN users on one particular ISP. They weren't resolving after we
    rolled into an MPLS. It was rather more complicated than that but we did
    determine "Z-town" users particularly had problems.

    I checked the site and didn't have any problems. And you're testing it from
    different ISP's? The users experiencing problems, are they using the 'problem'
    ISP? I'd take my complaint to the ISP (try to get to level 2) and ask them
    how they're resolving DNS (see if they have alternative DNS servers). At
    least they may give you some new insight into the issue.

    edit -- Level 3's got a couple of DNS servers we used during workarounds:

    4.3.3.2
    4.3.3.3

    Try those on your 'problem' ISP's connection. At least you may narrow
    down the problem and be able to better explain to your client what's going
    on. HTH.
    Last edited by brokencrow; April 9th, 2008 at 03:47 PM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Junior Member
    Join Date
    Apr 2008
    Posts
    2
    Many thanks for your feedback.

    Yeah, somehow it seems to be fixed again at the moment (just as I thought it had last week, before the same link farm re-appeared again) so I'm sure I'll find out again pretty quickly if the same problem re-appear.

    And yeah, using a remote desktop I was able to view the site live with both Orange Broadband and BT Broadband on split screens. One of them would show the correct site, and one would show the link farm (and this test was a repeated for most of the day, with the same results all the time).

    Unfortunately at the time, I didn't think to try and found what ISP the other people were using when they had the challenges, but it's good to know that's where the problem (to an extent) could lay. I'll certainly be contacting the faulty ISP on the chance it happens again.

    Fingers crossed though. I just don't understand how nuseek could do this in the first place, particularly intermittently!

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    It's not just nuseek.com. There's a ton of broken resolvers out there.
    Apparently it wreaking havoc with IP6. What's happening is a lot of
    outfits, even big ISP's, are setting up their DNS servers in violation of
    RFC's (rules) covering them. It's saves them money and let's them use
    cheap hardware.

    That was our tentative determination about our problem ISP. We'd have
    users connected via PPTP VPN to our network from that one ISP. When
    they'd go to the company intranet, which normally they were able to do,
    they'd get the ISP's default search page. This was not happening with
    other ISP's, though we had issues there, too.

    It was rather humorous how we determined the problem. A retired admin
    (30+ years onsite) had been brought back in and couldn't understand what
    was going on after a couple of weeks. We were convinced it was the MPLS
    implementation (which we never ruled out). I wryly commented the ISP
    is making money on the searches (their search engine was powered by
    Yahoo). This led him to start looking at the RFC's, which the ISP was not
    in full compliance with.

    Google "broken resolvers" and any other keywords to get a bigger picture.
    There's no telling the extent of the problem. And it's an issue that will never
    get much publicity because of security concerns, but it makes sense that
    websites could get hijacked in this kind of environment. I'm not an expert
    in DNS and setting up a DNS server is not a trivial task. There's others here
    who know better than I what kind of issues we're covering.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #5
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    A wee bit more on what's wrong with DNS:

    http://www.theregister.co.uk/2008/04...che_poisoning/
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •