I'm a bit puzzled, as someone/thing seems to have been able to hack some of the * CNAME DNS forwarding of one of my client's domains (as far as I can tell).
This resulted in an intermittent challenge where most worded tertiary domain names pointed to a link farm, instead of the main site. And then occasionally the main website would too (but not all the time). Similarly, the client's emails (ie on mail.theirdomain.com)
The domain was recently released from a BT hosting, and then re-administered via a well known domain name company. DNS was then set to forward through to a VPS (Virtual Private Server).
However, despite all the DNS settings indicating they were pointing the right way (on both the domain name hosts, and on the VPS), the link farm kept appearing on many tertiary domains (even though the * record was pointing to the right IP), and sometimes the main site (but not all the time) would be the link farm too.
Unfortunately viewing the source code, didn't give me any indication as to who they were, and the browser just claimed it was on that domain.
As a precaution, full virus/spyware scans were done on both my PC and the client’s PC (all clear).
Now, resetting all the DNS on the domain, and changing all the passwords just in case, seems to have fixed it.. however, I've never heard of this type of hack before.
Has anyone else had this happen to them... and any ideas how to prevent it in the future?
As a further follow up to the post above, I've now discovered the hijacking has been done by nuseek.com (I found a link to an image on their site in the source code of the link farm page, and a few searches found they'd done this elsewhere too).
Some searches on the web seem to only bring back results that they've been hijacking websites since at least late last year, and have done it hundreds of thousands of times. It's a weird intermittent hijack to help seemingly skim off some of the traffic, some of the time (ie not all day every day). But then, as I thought last week when it had been cleared, it's now back again.
The fault also seems linked only to some ISPs (ie viewing the website on orange broadband at the moment is as it should be, but viewing it through a BT broadband brings up the link farm). Which does lead me more to the DNS (as this can take a few days to fully propagate around the web, as differing ISPs pick up the new records, whereas html updates are instant).
The actual website is www.puritypoledancing.com (if you get the blonde woman with the rucksack, and all the targeted links, that's the link farm. If however you get a pole dancer.. that's of course the right site!)
Although I have around 30 other domains on the same VPS, all the DNS pointing in the same way, this is the only site affected.
This particular site was also recently transferred between domain providers, from British Telecom, to 123-reg, but none of the other sites I have hosted, or have transferred in the past had been effected).
Of course full scans for malware, etc. on all the PCs all come up clean.
I'm even hearing of people with brand new PCs getting the same problems with which site they get.
So can anyone help me:
- Is this a virus that can't be seen, somehow on a bunch of PCs, that only affects certain websites?
- Is it infected via an ISP?
- Did they hijack part of the domain during the transfer (but still leave all the whois records indicating the right stuff)
- Or what can I do to stop this?
I really look forward to someone hopefully being able to enlighten me on this challenge!