Hijacked DNS - How is this being done?

  • Thread starter Thread starter Roger P.
  • Start date Start date
R

Roger P.

Well this has got me I have no idea how its being done;

Windows 2000 server Domain controller, run nslookup this is what
happens;
sdsdfsdf
Click to expand...
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: sdsdfsdf.****.co.uk
Address: 82.110.105.11
wewerewer
Click to expand...
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: wewerewer.****.co.uk
Address: 82.110.105.11
233sdsdsdfsdf334
Click to expand...
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: 233sdsdsdfsdf334.****.co.uk
Address: 82.110.105.11

Any host name typed in is resolved to 82.110.105.11?

Also running nslookup and set type=mx this happens;
microsoft.com
Click to expand...
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
microsoft.com.****.co.uk MX preference = 10, mail exchanger =
mail1.extendcp.co.uk
mail1.extendcp.co.uk internet address = 82.110.105.32
google.co.uk
Click to expand...
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
google.co.uk.****.co.uk MX preference = 10, mail exchanger =
mail1.extendcp.co.uk
mail1.extendcp.co.uk internet address = 82.110.105.32

All resolving to 82.110.105.32 ???

I've run virus and spyware checks and also looked at the DNS server
entries as well as the host file all ok, please help I'm stuck!
 
Roger said:
Well this has got me I have no idea how its being done;

Windows 2000 server Domain controller, run nslookup this is what
happens;

Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: sdsdfsdf.****.co.uk
Address: 82.110.105.11

Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: wewerewer.****.co.uk
Address: 82.110.105.11

Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: 233sdsdsdfsdf334.****.co.uk
Address: 82.110.105.11

Any host name typed in is resolved to 82.110.105.11?

Also running nslookup and set type=mx this happens;

Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
microsoft.com.****.co.uk MX preference = 10, mail exchanger =
mail1.extendcp.co.uk
mail1.extendcp.co.uk internet address = 82.110.105.32

Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
google.co.uk.****.co.uk MX preference = 10, mail exchanger =
mail1.extendcp.co.uk
mail1.extendcp.co.uk internet address = 82.110.105.32

All resolving to 82.110.105.32 ???

I've run virus and spyware checks and also looked at the DNS server
entries as well as the host file all ok, please help I'm stuck!
Click to expand...

In all likelihood this is neither a virus or a highjack, it is likely to be
a wild card record in the public zone, and is is very common in the co.uk
domain.

If you will check your DNS suffix search list you will see that ****.co.uk
is in the list and your internal domain is dom.****.co.uk, what you need to
do is set a custom DNS suffix search list that has only your internal domain
in the list, "dom.****.co.uk" this is caused by the DNS client service and
nslookup appending these suffixes until it gets a hit, it hits the public
wildcard and resolves.

You can assign the DNS suffix search list in a group policy on XP and
Win2k3, but you'll have to manually configure the list on Win2k.

Computer Configuration
-Administrative templates
-Network
-DNS client <DNS suffix search list>


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Back
Top