Phishing site uses subdomain that I never registered

Question

I recently received the following message from Google Webmaster Tools:

Dear site owner or webmaster of http://gotgenes.com/,

[...]

Below are one or more example URLs on your site which may be part of a phishing attack:

http://repair.gotgenes.com/~elmsa/.your-account.php

[...]

What I don't understand is that I never had a subdomain repair.gotgenes.com, but visiting it in the web browser gives an actual website. My DNS is FreeDNS, which does not list a repair subdomain. My domain name is registered with GoDaddy, and the nameservers are correctly set to NS1.AFRAID.ORG, NS2.AFRAID.ORG, NS3.AFRAID.ORG, and NS4.AFRAID.ORG.

I have the following questions:

Where is repair.gotgenes.com actually registered?
How was it registered?
What action can I take to have it removed from DNSs?
How can I prevent this from happening in the future?

This is pretty disconcerting; I feel like my domain has been hijacked. Any help would be much appreciated.

Does your control panel have the power to control your DNS, like a lot of control panels do? If it does, that's where I'd be looking for the break in. — Oli, Sep 13 '12 at 22:05
He said he's using FreeDNS. I wouldn't expect everyone to be familiar with it, but it's not Hosting, has no "Control Panel", and the other answers are not only correct but have relevant details. — Chris S, Sep 14 '12 at 00:21

Mark Henderson · Accepted Answer · 2012-09-14T00:32:20.507

80

Sigh. I've had a few clients fall trap to this by using afraid.org as their DNS provider. Because they're free, they allow anyone who wants to to create subdomains off your primary domain, unless you specifically disallow it.

You can see here: https://freedns.afraid.org/domain/registry/?sort=5&q=gotgenes&submit=SEARCH that someone has created 79 subdomains off your primary domain.

Never. ever. ever. ever. use afraid.org for a website you care about.

edited Sep 14 '12 at 00:32

answered Sep 14 '12 at 00:25

Mark Henderson

68,316
31
175
255

7

Wow. Thanks for the info Mark, very useful, if scary or even reckless on the part of afraid.org. DNS is enough of a vector as it is, they really need to change this policy. +1 – mcauth Sep 14 '12 at 03:01
5

With free providers you do tend to get what you pay for. :) – John Gardeniers Sep 14 '12 at 08:56
3

In this case, it sounds like you got even **less** than what you paid for. – Shadur Sep 14 '12 at 10:44
1

Do they give an explanation for why they have such a dangerous default behavior? – Dan Is Fiddling By Firelight Sep 14 '12 at 13:51
14

This is how freedns works. They provide any person the ability to create a subdomain on thousands of other domains that are donated by others. This is what they do, pure and simple. Anyone who doesn't realize this clearly had no idea what they were doing when they signed up for freedns. – user606723 Sep 14 '12 at 14:55
freedns pay accounts allow you to have a truly "private" domain name, FWIW [they call them "stealth" flagged domains] – rogerdpack May 29 '14 at 05:59
@Shadur Less? Someone built an entire website for him! :-p – ceejayoz May 09 '17 at 17:08

score 14 · Answer 2 · answered Sep 14 '12 at 16:31

If you want the domain to be for your use only, you need to configure it as such: http://freedns.afraid.org/queue/explanation.php

FreeDNS is, as others have mentioned, primarily a service for registering a hostname in one of a large selection of available domains; by adding a domain on FreeDNS you are, by default, adding to the set of domains available for anyone to use.

score 7 · Answer 3 · answered Sep 13 '12 at 21:31

com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
;; Received 509 bytes from 192.36.148.17#53(192.36.148.17) in 551 ms

gotgenes.com.       172800  IN  NS  ns1.afraid.org.
gotgenes.com.       172800  IN  NS  ns2.afraid.org.
gotgenes.com.       172800  IN  NS  ns3.afraid.org.
gotgenes.com.       172800  IN  NS  ns4.afraid.org.
;; Received 119 bytes from 2001:503:a83e::2:30#53(2001:503:a83e::2:30) in 395 ms

repair.gotgenes.com.    3600    IN  A   209.217.234.183
gotgenes.com.       3600    IN  NS  ns4.afraid.org.
gotgenes.com.       3600    IN  NS  ns1.afraid.org.
gotgenes.com.       3600    IN  NS  ns3.afraid.org.
gotgenes.com.       3600    IN  NS  ns2.afraid.org.
;; Received 227 bytes from 174.37.196.55#53(174.37.196.55) in 111 ms

I get the response from nsX.afraid.org - the same nameservers that are listed for your domain.

So I'd say that either

Your DNS account was hacked
You created a record you do not remember
An employee with your DNS host is corrupt
Your DNS host got hacked and records are created without you being able to see them.

It's not so much as been hacked, rather, the opened their entire company name open to abuse by using afraid.org which permits anyone to create a subdomain off your primary domain. — Mark Henderson, Sep 14 '12 at 00:27
I didn't even have the imagination to imagine that a DNS provider would do that. So I learned something new too, which is great :D — Frands Hansen, Sep 16 '12 at 09:18

score 1 · Answer 4 · answered Jan 05 '13 at 00:39

By default your domain is set to be shared. That way anyone can add a subdomain of your domain. You can change it in the domains panel and click on the value next to "Shared:" and that should change it from Public > Private. If it doesn't it probably got hacked or something.

score 0 · Answer 5 · answered Sep 13 '12 at 21:31

0

Someone hacked your nameserver. Check with whoever is your nameserver for the domain. The nameserver is defined on your account with the registrar.

answered Sep 13 '12 at 21:31

it guy

33
1

7

"By design" != "hacked". – Andrew Sep 14 '12 at 05:41

Alain · Answer 6 · 2017-05-09T17:26:42.030

I am adding here a nuance to the answers already provided. Most people have pointed to a possible DNS issue. That is a valid point. Just another possibility is what's called Wildcard (or Catch-all) subdomains. You can set one up as part of your Advanced DNS Record edits as in the attached picture.

An example of details on wildcard subdomains is: namecheap dot com's support page on the topic.

Please note that in and of itself, the wildcard subdomain isn't bad, but when you start thinking spoofing of email addresses and fake web sites, it can be pretty serious.

Phishing site uses subdomain that I never registered

6 Answers6

Linked

Related