Since this late noon, all of my domains on the Microsoft Windows Hosting server at 1and1.com could not be accessed. I called the tech support and was told all A records of my domain names have been pointed to an external IP address (82.165.204.153). Even I swore to the tech support that I did not make any changes on my DNS setup, but she insisted that only the owner of my account (of course, me) can do such changes. And I asked whether they could do some investigations to see who and when made such changes from logs, but I could not get any satisfied answer from her. Anyhow, the important part at this moment was to get all my domains back. So I had to manually change all A records back to my hosting server’s IP addresses. I was glad I only host less than 20 domains on this Microsoft platform, image I would have to change my Unix hosting domains (Shhhhh).
Here was the DNS setup screen before I changed back to my original IP. You can see somehow the IP address of 82.165.204.153 was changed in my A record.
I was really not sure this was a hacking behavior or the failure of my hosting provider. To make sure, I did some trace, the following was what I got with the IP above.
D:\>tracert 82.165.204.153
Tracing route to 82.165.204.153 over a maximum of 30 hops
1 1 ms 1 ms 1 ms home [192.168.2.1]
2 13 ms 12 ms * 65.14.248.18
3 14 ms 14 ms 14 ms 65.14.249.253
4 * 14 ms 14 ms 205.152.99.98
5 13 ms 15 ms 14 ms 65.83.238.76
6 14 ms 14 ms 13 ms 65.83.238.202
7 16 ms 16 ms 15 ms tbr1.attga.ip.att.net [12.122.117.14]
8 15 ms 14 ms 14 ms ggr3.attga.ip.att.net [12.122.96.9]
9 16 ms 15 ms 15 ms 192.205.34.62
10 15 ms 15 ms 16 ms ae-72-52.ebr2.Atlanta2.Level3.net [4.68.103.61]11 14 ms 16 ms 17 ms ae-63-60.ebr3.Atlanta2.Level3.net [4.69.138.4]
12 31 ms 33 ms 35 ms ae-2.ebr1.Washington1.Level3.net [4.69.132.86]
13 43 ms 35 ms 35 ms ae-61-61.csw1.Washington1.Level3.net [4.69.134.1
30]
14 32 ms 33 ms 35 ms ae-63-63.ebr3.Washington1.Level3.net [4.69.134.1
61]
15 36 ms 38 ms 37 ms ae-3.ebr3.NewYork1.Level3.net [4.69.132.90]
16 37 ms 37 ms 37 ms ae-73-73.csw2.NewYork1.Level3.net [4.69.134.102]17 36 ms 37 ms 36 ms ae-23-79.car3.NewYork1.Level3.net [4.68.16.69]
18 36 ms 38 ms 37 ms level3-up.nyc.schlund.net [4.78.164.2]
19 37 ms 37 ms 38 ms ge-3-2-0-0.bb-a.tla.nyc.us.oneandone.net [217.16
0.229.65]
20 63 ms 61 ms 60 ms so-1-0-0-0.bb-a.cr.chi.us.oneandone.net [74.208.
1.32]
21 62 ms 62 ms 62 ms so-1-0-0-0.bb-c.ws.mkc.us.oneandone.net [74.208.
1.93]
22 61 ms 60 ms 61 ms ge-2-5.bb-a.ws.mkc.us.oneandone.net [74.208.1.45
]
23 59 ms 61 ms 61 ms te-1-2.bb-a.ga.mkc.us.oneandone.net [74.208.1.73
]
24 62 ms 61 ms 62 ms te-1-1.bb-a.slr.lxa.us.oneandone.net [74.208.1.6
5]
25 61 ms 61 ms 60 ms te-1-2.gw-dists-r5-a.slr.lxa.oneandone.net [74.2
08.1.115]
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.Trace complete.
D:\>
From the trace above, the last hop was from some servers of oneandone.net which was similar to my hosting company oneandone. And from the whois lookup, this IP seems to be from RIPE network (http://who.is/whois-ip/ip-address/82.165.204.153/) but checked on another whois record, this IP should be part of 1and1 shared hosting servers (http://whois.domaintools.com/deposit-account.com).
Any explanations, my hosting provider company?
And one of my domain which was included by my hosting company has the A record changed as well, but I could not change back from the admin control panel. This totally approved the A record changes were not done through the control panel. Anyway, to be caution, I had to change my hosting control panel log on password. And hope no such thing happens again to me.
0 Responses to “Have I been hacked or something else…”