Somebody created subdomain without my knowledge. How?

Question

Got an interesting email from CIRA today with:

CE14-12545 [Malware hosted on ygglhalayvtwy.khabarov[.]ca] 
URL: http://ygglhalayvtwy.khabarov[.]ca/xnor/orladjaup.jpg
IP: 204[.]44[.]87[.]184
MD5: EFDCED1D3D8145EED471362B04E144871EBA2122
Malware: Trojan.Win32/Bicololo.A

That's pretty odd, as domain is mine but I never set up subdomains, or even a wildcard. And I obviously don't serve malware.

Dig output:

; <<>> DiG 9.8.3-P1 <<>> ygglhalayvtwy.khabarov.ca
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29242
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ygglhalayvtwy.khabarov.ca. IN  A

;; ANSWER SECTION:
ygglhalayvtwy.khabarov.ca. 2498 IN  A   204.44.87.184

;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Dec 29 23:10:19 2014
;; MSG SIZE  rcvd: 59

So it resolves to some IP I have no idea about.

I checked afraid.org where I manage DNS. No such A record there.

Namecheap where I hold domain name has nothing suspicious either.

What's going on here exactly?

This issue is worth noting for others somehow. – Jim B Dec 30 '14 at 04:30 — Jim B, Dec 30 '14 at 04:30

Wesley · Accepted Answer · 2014-12-30T04:25:26.023

My immediate suspicion was that someone else had control of your domain. There are now two possibilities:

You've had your account hacked for wherever you host your zone.
You're using some ~~janky~~ budget DNS host that allows you to host your zone with them for free and in return you allow them to give rights to create subdomains off of your domain. (Side note: Because I'm careless and read only half of your post before I came to my conclusion and started trying to falsify it, I didn't even notice that you explicitly stated afraid.org was your DNS host. I found that out for myself though, as you'll see in two seconds.)

Quick DNSMan! To the digs!

dig +short ns khabarov.ca
ns2.afraid.org.
ns4.afraid.org.
ns3.afraid.org.
ns1.afraid.org.

Well, well, well. What do we have here but good ol' afraid.org. I won't say anything bad about their service, because I don't think it's inherently bad. However you need to be aware of what you're giving when you use them. When you let a free service like afraid.org host your zone, they allow others to create subdomains off of your domain.

Someone used your domain, quite probably at random, and created a subdomain that delivered some nastiness to folks. That subdomain got reported through various channels, and now has the stink of death on it. Sharing is magic!

enter image description here

They appear to have mentioned that in their FAQs (#3): "Public domains mean anyone in FreeDNS can setup a hostname using that domain without the domain owner's approval." — cyberx86, Dec 30 '14 at 04:28
Thanks again. Moved DNS already. Afraid.org is really making Internet worse. — Grocery, Dec 30 '14 at 19:07

Somebody created subdomain without my knowledge. How?

1 Answers1

Linked