# DNS BuyDomains.com hijacking - ruling out Linux.

## LiquidRain

Hello all!  I seem to be having a DNS hijacking problem and I'm wanting to rule out my Gentoo router, as it is 1 of 2 common links between all the PCs with the symptoms.  The exact problem is, buydomains.com is catching all my random website addresses I try to get to.  eg: If I try to go to www.goiejroigjeoijgerg.com I get buydomains.com.  Legitimate websites are unaffected, and if I weren't slightly paranoid I wouldn't be here asking.  Here are all the symptoms/evidence:

1. Friend with fresh Gentoo install displays Buydomains redirection on his Windows box.  This wasn't happening until after he was running behind Gentoo.

2. I say he's lying, but I check and I suffer the same problem.

3. I check my Mom's PC, a fresh Win2K install, lo and behold same problem.

4. Quick SSH login and a ping to a random website on my server brings up host not found error.

5. Boot using 2004.1 Gentoo LiveCD on my Windows PC, behind my Gentoo router box, and use links to try to get on random site.  Host not found.

6. Ask 2 people on same ISP as me what they get on their Windows boxes: both get host not found.

7. Pinging random sites in a command prompt gets resolved to buydomains.com's IP address.

8. Using IE or Firefox or Mozilla makes no difference.  I could try more but I see no point.

Both my friends' PC and my setup look like this: Win2K Pro, blackbox for Windows Lean 1.1 (not Explorer), we both use Firefox, I use Thunderbird (not sure what he uses), and Trillian.  I am fully updated on my Windows updates save the latest DirectX vulnerability.  My mother's PC has stock Win2K look/settings (no blackbox), except she uses the Mozilla suite instead of Firefox/Thunderbird.  This machine has constant AV scanning.  My whole network consists of my Mom's Win2K PC, my Win2K PC, a switch, and my Gentoo router.  As you can imagine, the likelihood of a hijacking occuring on my system is nil, and I'm very careful about that sort of thing as well.  Here is what I've done to try and remedy the problem, and its outcome:

1. First of all, Googled for everything under the sun.  DNS hijacking, Buydomains hijacking, Buydomains redirecting, Buydomains spyware, etc.  No info.  It's like nobody's ever had this before.

2. Searched spywareinfo.com (both db and Google searches). No results.

3. Searched dslreports.com.  No results.

4. Searched these forums. No relevant topics.

5. Full virus scan.  1 false alarm, 1 catch in my Thunderbird junkbox. (Teamspeak, Netsky respectively)

6. Full Ad-Aware scan.  Clean.

7. Full Spybot scan.  2 tracking cookies in Firefox.  By this point I'm still getting Buydomains.com off random addresses.

8. Stopped and started DNS client service.  No difference.

9. Changed DNS servers on my Windows box.  No difference.

10. Checked hosts files on Gentoo and Windows box for alterations, as well as resolv.conf.  Nothing.

11. Logged in to router remotely, loaded up Lynx to random site.  Host not found.

12. Booted Gentoo LiveCD 2004.1, loaded up Links to random site.  Host not found.

13. In a last resort I called tech support to ask if they knew of this problem, or if their DNS servers were wonky or pulling a SiteFinder gag.  Claimed they weren't and symptom/evidence #6 would confirm that.

14. As a footnote: my Gentoo box runs the freshclam daemon and runs a full HDD scan with ClamAV once a week.

I would dismiss this as a pure Windows spyware/virus problem if it wasn't for the niggling fact that my friend didn't experience this problem till the day he installed Gentoo.  As I said, there are 2 common links here: 1 is all affected PCs are Windows 2000, the other is they're all running behind Gentoo boxes.  At this point, this problem is driving me entirely mad and I would like to get to the bottom of it as any concern like this bothers me.

So, my questions in the end are: What else can I do so I can rule out my/my friends' router?  Is anyone else suffering this problem?  If anyone wants me to post the contents of any conf/rc/whatever file, I'd be more than happy to.

----------

## Given M. Sur

Try connecting directly to your modem rather than using the router.  If it still does it, it's not the router.  If it doesn't then it is.

----------

## LiquidRain

Directly connected to my cable modem on my Win2K PC this issue does not occur.  I get a host not found error in Firefox, IE, and pinging in a command prompt.

After reconnecting my Win2K PC back to the switch and my cable modem back to the router, without rebooting either PC, the BuyDomains problem is persisting.

As another footnote: the DNS server my ISP provides is the same one that the PCs on my network gets.  (at first I had suspected I was using a DNS server that my ISP had dumped and I had to update my dhcpd.conf file, but I was wrong)

----------

## pakman

Is the router acting as a DNS cache, i.e. using tinydns/djbdns/BIND or just doing pure NAT.

If not, I doubt the router is the problem. If you replace your internal workstations OS with the gentoo liveCD the DNS lookups work fine (#5 in your list). To me that shows the router is working as it should be and the workstation OS is the problem (assuming the livecd and windows are configured to use the same DNS server). Doesn't explain why win2k straight onto the net works fine though, I'd test that again  :Smile: 

My instinct would be that it's spyware that has managed to sneak under the nose of the detection software, despite your investigations. Buydomains seem to be known spammers so it seems quite possible they'd use spyware:

http://groups.google.com/groups?q=buydomains&lr=lang_en

----------

## LiquidRain

The router is not acting as a DNS cache.

And if it really _WAS_ spyware, and the only condition that changes is the router inbetween my PC and the 'net...  I'm at a loss here, really.  I've grepped my /etc for "buydomains" to make sure it didn't sneak into any conf files but nothing showed up.

----------

## Chris W

 *Quote:*   

> As you can imagine, the likelihood of a hijacking occuring on my system is nil,

 

I imagine no such thing.  This would make yours the only machine in existance with no unknown security vulnerabilities.

The hijack is not in DNS itself - your example resolves to NXDOMAIN.  The Gentoo box and LiveCD correctly work this out.  The hijack must, therefore, be in the Windows boxes.  If the hosts file is not corrupted, and the machine DNS servers are not corrupted then, penny to pound, you have a hijacker in the machines.   This must be operating independently of the MS browser components (the usual target) - perhaps hooked into the IP stack.

What is the IP address returned when you nslookup from the hijacked machines?  Does this address appear on the system in any file or in the registry?  Does "buydomains" appear in any file or registry entry on the machines?

Might be of use: 

http://tinyurl.com/3g5ob  (Winguides;  DNS hijack using registry entry)

http://tinyurl.com/26zyx (Google Groups)

Suggests: Download Hijack This http://www.majorgeeks.com/downloads31.html

----------

## LiquidRain

I found the mistake.

```
C:\WINNT>nslookup wfiojiogjeiojg.com

Server:  ns3nr.wp.shawcable.net

Address:  64.59.176.13

Non-authoritative answer:

Name:    wfiojiogjeiojg.com.homelan.org  <---

Address:  208.254.3.160

C:\WINNT>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : rain

        Primary DNS Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Broadcast

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : homelan.org <----

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : homelan.org <----

        Description . . . . . . . . . . . : 3Com 3C920B-EMB Integrated Fast Ethernet Controller

        Physical Address. . . . . . . . . : 00-26-54-0E-CB-C0

        DHCP Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.0.100

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.0.1

        DHCP Server . . . . . . . . . . . : 192.168.0.1

        DNS Servers . . . . . . . . . . . : 64.59.176.13

                                            64.59.176.15

        Lease Obtained. . . . . . . . . . : Wednesday, June 16, 2004 1:31:48 AM

        Lease Expires . . . . . . . . . . : Wednesday, June 16, 2004 7:31:48 AM
```

```
thedreamrealm dhcp # cat dhcpd.conf

ddns-update-style none;

authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {

        default-lease-time 21600;

        max-lease-time 43200;

        option subnet-mask 255.255.255.0;

        option domain-name "homelan.org";  <------

        option broadcast-address 192.168.0.255;

        option domain-name-servers 64.59.176.13,64.59.176.15;

        option routers 192.168.0.1;

        range dynamic-bootp 192.168.0.16 192.168.0.253;

}
```

There it is!  I wonder why Mac/Windows (my friend got Buy Domains off his sister's Mac) interprets this differently from Linux.  Oh well, quite frankly I'm just happy to have resolved this.  Never been so happy to see host not found errors. =)

```
C:\WINNT>nslookup wioijweoifjwoiejf.com

Server:  ns3nr.wp.shawcable.net

Address:  64.59.176.13

*** ns3nr.wp.shawcable.net can't find wioijweoifjwoiejf.com: Non-existent domain
```

----------

