How my website was hаcked

Started by sutherland, Nov 23, 2022, 03:07 AM

Previous topic - Next topic

sutherlandTopic starter

2 months ago, I registered one domain on one of the registrar sites and immediately delegated the DNS domain addresses to the addresses of one of the hosting companies (well, as usual).
BUT! After delegating, I did not bind the domain to my account on this hosting. I was waiting for the right moment. So, after 3 months, I go to this domain and instead of the expected error about a non-existent page, I saw someone else's website working. What the fuck was I thinking? My first version of what was happening was the thought that most likely someone on the hosting tied the domain to his account faster than me.

To check this, I went to web hosting to link the domain and was surprised when I was able to do it, I linked the domain without any problems, although I expected an error like "Ala domain is already linked to another account". Dammit I thought. My second version was the idea that unscrupulous hosting uses domains delegated to hosting, but not linked to accounts, in their needs until the domain is linked to the account. Soon there was a conversation with the hosting support service.
The operator on the line at first could not explain the reason for what was happening, but later was able to assume the following (operator's response):
"It looks like a doorway, sometimes these comrades register with us - with domains that link to us at the dns level (visible in the public whois), but they do not have full support yet."


most hosting providers have automatic DNS zone configuration (resource records). In order for the domain to be linked to the hosting, it needs to:
1. Specify the DNS of web hosting.
2. Link the domain in the hosting panel. After binding the domain in the hosting, a zone file with records from the control panel on the DNS hosting is automatically created.

If you do not fulfill the second point, the guys (scammers, bad people, xs who else) will help and link your domain to their hosting.
Here the domain name owner should be careful and if he specifies DNS, it is better to specify not hosting DNS, where there is an auto-tuning zone, but for example free. The same DNS of Yandex or registrar or a third-party service where there is no zone auto-tuning.

I'll tell you honestly, guys (scammers, bad people) who use other people's domains quite a lot in this way. And they probably have bots or checkers constantly scouring for domain names that have DNS but no zone.


I was in a similar situation too. A website whose domain I delegated to a hosting company was hаcked. I had to figure it out through technical support. They helped me.


It is necessary to find out exactly how the hаcking occurred. To do this, you need to collect all the information for analyzing actions. Contact Former technical support. Request the access_log and error_log logs about the entire operation of the site, as well as the ftp server log. Describe the situation, revealing all the changes on the site – spam, cancellation of antivirus programs, other changes you found.
It is desirable that you have the date and time fixed, or the fact of hаcking itself is detected. If there is no such information, you can specify when you noticed the hаck. Also, before contacting technical support, it is advisable to perform the following actions:

Check all working computers connected to the site with an antivirus.
Change all existing passwords associated with the site – to access the admin panel, hosting and ftp.
In case of a site shutdown, enable a backup copy.
In case of unwanted placement of unwanted content on your site, temporarily disable web site.

Recommendations after hаcking the site:
After the site is restored, it is advisable to strengthen protection and install updates to plugins and modules on the developer's site. You can also ask for help from Former specialists. We advise you to monitor the actions of everyone who has access to the site and hosting – for each account and password created by you.
Keep track of account access rights – if you have previously contacted the developer, then you should delete or restrict the account by access rights.