8

My company missed to extend a domain name by few days, so it went to grace period. From what I know, if it went to grace period, people would still be able to access my website. However, the site was actually showing a porn site with domain name header. My boss quickly paid the domain names and few minutes after that the website is back. This creates catastrophic situation between company and users and I should be able to explain this to the users.

After days of research, I'm unable to find what in the world why the site was showing a porn site. So here is my conclusion so far: The developer used OpenX v2.8.8 to show ads, maybe someone has hacked it using XSS or CSRF attack. The URL is still connected to our domain but with subdomain of OPENX.

My question here:

  1. Was the site hacked?

  2. If it was hacked, I need to know why it could be hacked?

Note: I can't disclose the site name for the sake of security.

Andrew T.
  • 563
  • 5
  • 14
William Calvin
  • 327
  • 2
  • 9
  • So was the site only redirecting during the period that your DNS hadn't been paid up? One thing to note is that OpenX had a recently discovered backdoor in their code which has active exploits. http://www.exploit-db.com/exploits/27529/ – Rory McCune Aug 16 '13 at 08:50
  • Yes, after paid up it seems back to normal.Is that affect 2.8.8 as well, @RoryMcCune? – William Calvin Aug 16 '13 at 09:09
  • 1
    not sure actually, may only be 2.8.10. However if the change went away when the DNS was paid up, it would seem unlikely to be that. Sounds like something you should take up with your DNS provider.... – Rory McCune Aug 16 '13 at 09:29
  • Yup. already asked them and waiting for their response. Thanks @RoryMcCune – William Calvin Aug 16 '13 at 10:01
  • 3
    So when you stopped paying for your domain, they turned your site into porn? That's the funniest thing I've heard all week. Also, you really ought to have bought that domain from a **real** ICANN accredited vendor. – tylerl Aug 16 '13 at 17:05

2 Answers2

6

While multiple vulnerabilities exist in OpenX, there just isn't enough information in this case to tell for certain if your site was hacked or not.

It appears from what you said that the company from whom you bought your domain simply redirected your DNS records to a porn server after you stopped paying. And then when you paid again, they redirected you back. That would indicate that your original site and server was not actually affected at all.

tylerl
  • 82,225
  • 25
  • 148
  • 226
1

DNS hijacking or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. These modifications may be made for malicious purposes such as phishing, or Malicious content being unknowingly spread to your system via "drive-by"techniques.

How to to combat this issue:

  1. Use best practices for credentials that allow changes to be made to DNS records.
  2. Revisit the choice of DNS provider regularly as you grow.
  3. Make use of SSL certificates.
  4. Avoid having low TTL where possible, specifically on master records.
  5. Use high TTL for MX records to delay the hijackers' ability to reroute your emails.
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Sh1nu11bi
  • 89
  • 6