48 hours under DNS attack – spam rather than our website!

Rich Altmaier, Aug 15, 2015

Well perhaps attack is too strong, but it did take that long to figure out why entering our WordPress site URL sometimes gave our site, and sometimes landed on a spammers page.
And it definitely did happen due to malicious intent.

I received the emergency email from our director on Thurs evening – spam pages were showing up in place of our site!
My first thought was someone had hacked our site and somehow put in perhaps a .htaccess redirection. But I quickly found valid looking files. Then I proceeded to take a fresh, and a month old full site backup and used the very helpful utility Beyond Compare to compare them file by file. A few changes all looked reasonable. So I decided no one had changed files on our site.
Next I thought of some kind of malicious post may somehow contain php code to do a browser redirection. But how to examine all posts and other contents of the WordPress database? I happened to find the excellent plug-in WordFence. Hurray for WordFence. WordFence scanned all our pages, posts, uploads, etc and found a dozen malicious insertions. But none of them looked serious enough to me, and I cleaned them up anyway. No help.
After cleanup I did another scan or two by WordFence, and suddenly a new finding:

Your DNS records have changed
Old DNS records: villagevolunteers.org points to 173.254.38.193
New DNS records: https://www.villagevolunteers.org points to 77.247.178.109
Severity: Warning
Status New
We have detected a change in the A records of your DNS configuration that may affect the domain https://www.villagevolunteers.org. An A record is a record in DNS that points a domain name to an IP address. A change in your DNS records may indicate that a hacker has hacked into your DNS administration system and has pointed your email or website to their own server for malicious purposes.

Aha, somehow our DNS record is doing a “quasar”, changing every few seconds from valid to a spam site! I could enter ping sitename.org repeatedly, and the IP address returned kept flipping back and forth! Since this IP address lookup is performed prior to any connection to our server, I knew our problem was in the DNS area – nothing to do with our server. This also meant no files or contents were likely at fault on our server, some good news at least. But no solution.

Now do a trouble ticket with our domainname registrar – asking why is our IP address changing? On the phone for 30 minutes, to yield the response “DNS looks odd, never seen anything like this.”
No solution. Our site is still often a spam page.

We decided to move our domainname registration, in the hope it would become valid and stable. As I started to examine our registration, I noticed something odd. We had 2 nameserver entries for our domainname, showing as: ns1bluehost.com, ns2.bluehost.com
Notice the period missing in the first name. It was not going to bluehost.com at all.
I used Windows nslookup, where you can set the DNS server to consult, trying each of the two names, and yes the bad name always yielded the spam site IP address!

The problem we were experiencing was due to one nameserver being valid and the second being a fake nameserver. Whenever entering the name villagevolunteers.org, if you were unlucky and got the fake nameserver, it provided a spam site IP address, rather than our Bluehost server IP address.

I really don’t know if our entries have been wrong for years, or a recent corruption.
I did a whois.net lookup of the bad name ns1bluehost.com and indeed it was recently registered in China, a few days earlier. It seems clear this name was created to exactly trap domainnames which happened to have erroneous entries. Our erroneous entry had been timing out, and falling over to the second valid entry. And now the China site intercepted it and provided spam.
We basically had a 50-50 chance that our name would be valid from the good nameserver, or spam from the bad nameserver.
Once I noticed the wrong name, I corrected it immediately, now 2 days later, and hope it will fully propagate soon. Definitely looking better now.