Questions[hijack](server)

We own a primary domain:

• businessdts.com

I didn't know if our admins had created a sub-domain I had requested, "BDASERVER.businessdts.com.", so I just tried to connect to it with a browser and got a "not found". Then I pinged that sub-domain and got an IP address that doesn't belong to us:

• Pinging BDASERVER.businessdts.com [198.105.244.117] with 32 bytes of data
• Our domain and all sub-domains should have an IP address of [173.203.24.209]

I had the admins check all of our DNS zones and we find no instance of the BDASERVER sub-domain, (the admins had not created it yet), nor did we find any instance of the 198.105.244.117 IP address.

Doing an IP lookup, we found that 198.105.244.117 belongs to a company called Search Guide Inc. (searchguideinc.com). They appear to be a domain broker of some kind.

Am I missing something:

• How is this BDASERVER sub-domain resolving to a address that is not ours?
• How does someone hijack a SUB-domain?

I own the domain gimmeanswers.com unfortunately I've become aware of a browser hijack which uses the gimmeanswers.org (which I don't own) domain as a redirect.

Searches for my legitimate domain name now return a large number of results for this exploit with my .com version attached. As far as I can see the legit dns for my domain is intact and having checked from several remote servers the page I expect to appear, does. So I'm assuming if people with the hijack are being sent to what appears to be my domain then it must be messing with the hosts/dns cache too.

Obviously I have nothing to do with the hijack nor the .org but I've started getting emails from people assuming I do.

Is there anything simple I can do to get the association with my legit name removed from the search results/any advice from someone who has been in a similar situation?

The problem came to me when a user complained they couldn't send or receive emails. Outlook 2010 reads "Disconnected" in the bottom right. I have tried everything to reconnect, but no luck.

Tried:

• Repairing Network Connection
• Cached mode Off/On
• Running Spybot
• Malware Bytes
• CCleaner
• VIPRE Rescue
• Trend Micro
• Hijack This
• Safe Mode cleaning

Further into the problem, I tried connecting to our Outlook Web Access, and Chrome gave me a warning page that the SSL certificate wasn't trusted. That's news to me. Turns out it isn't my certificate after all. I try open other secure login pages, and they all redirect to the same red screen with the same warning, same certificate.

So I checked the hosts file and it's clean.

I tried turning off almost every Startup Item, and one jumped out at me. dedcedeefbeedct.exe. I deleted it, but that still didn't do the trick.

Then my network AV tells me the computer I'm working on has been trying to access http://methylen.com/Y2x8MS42fDMxNWZlOTA1MWQ4NDAyZDAyNTk3ZDNmYzk2ZDNiZmU3fDMwOQ== unsuccesfully (hyperlink changed so no one accidentally clicks on it), every three seconds for most of the time I've been working on it.

To me, it looks like all traffic on the SSL port (443) is being redirected/hijacked. This would explain why Outlook can't log in, because it uses SSL to verify.

So while I think I have an idea of what is going on, I'm not sure where to go from here. Anybody have any ideas?

I have two web servers at our colocation running CentOS 6.0. One runs our main marketing web site (production server) and the other is a staging server for the production server, so almost an exact replica. Both of them are behind a firewall and have private IP addresses. The firewall is connected to our main office with a site-to-site VPN tunnell. Both of the servers have their nameservers set up to use our internal DNS servers here in our main office.

On the production server, I'm facing this exact same issue, even the same hostname of phx1-ss-2-lb.cnet.com. The problem is that whenever I ping a domain name that doesn't exist, I get that cnet.com hostname in return. Even on my own domains, if I do somestupidsubdomain.mydomain.com, it returns with the cnet address. In that thread, they said it was NXDOMAIN hijacking and that they should use different name servers. In my situation, this production server is using the same nameservers as everyone else in the company, but this isn't an issue for anyone else. Even the staging server that's a mirror of the production server isn't having the issue.

I've checked the /etc/hosts file and nothing out of the ordinary is there. I looked up how to flush the local DNS cache through either nscd or bind and neither are even installed. I used nslookup and queried my two assigned DNS servers and they came back with domain not found errors, as would be expected.

Where should I look next?

EDIT

I used tcpdump on port 53 and than pinged some jibberish domain and this is the output I got

14:55:39.884442 IP 192.168.4.11.59726 > 192.168.0.22.domain: 27749+ A? asdfjjjf.com. (30) 14:55:39.905778 IP 192.168.0.22.domain > 192.168.4.11.59726: 27749 NXDomain 0/1/0 (103) 14:55:39.905930 IP 192.168.4.11.46752 > 192.168.0.22.domain: 18476+ A? asdfjjjf.com.com. (34) 14:55:39.926982 IP 192.168.0.22.domain > 192.168.4.11.46752: 18476 2/0/0 CNAME phx1-ss-2-lb.cnet.com., A 64.30.224.112 (82)

14:55:39.962067 IP 192.168.4.11.44686 > 192.168.0.22.domain: 5275+ PTR? 112.224.30.64.in-addr.arpa. (44)

14:55:39.983324 IP 192.168.0.22.domain > 192.168.4.11.44686: 5275 1/0/0 PTR phx1-ss-2-lb.cnet.com. (79)

So if I'm reading this right, does that mean that my DNS server is definitely responding with the cnet.com address? If I use nslookup, set it to the 192.168.0.22 server, and query a jibberish domains A record, it returns with nothing.

What happens to a TCP session when the IP of a client changes?

I did a simple test of having netcat listen on a port, and connecting to that port from a client machine. I then changed the IP of the client while that nc session was open and sent some data, no data was received by server after changing the IP.

1. I know they are different layers, but does TCP use IPs for part of how it distinguishes sessions?
2. Does my example not work because of how the application handles it, or is this not working because of something happening at TCP/IP/Ethernet layers?
3. Does this depend on the OS implementation? ( I am most interested in Linux at the moment)