dyndns hacked?

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Dr.R. Clavan
Posts: 12
Joined: Wed May 25, 2011 9:27 pm

dyndns hacked?

Post by Dr.R. Clavan »

Hi,

Running Gargoyle 1.8.1 on TP-Link TL-WR1043N/ND v1.

I have my own domain "somedomain.com" with namecheap.com, hosting I do myself on my own server, so DNS record at namecheap (a hosting provider) for "somedomain.com" should be my home IP address. I use the Dynamic DNS feature of Gargoyle to update namecheap's DNS record in case my ISP assigns me another IP address. I have set the Dynamic DNS Service to check every 5 minutes and the force update interval is 1 day.

Whenever I check what my IP address is (eg whatsmyip.org) I get the same answer, my IP address is quasi static (it's technically dynamic but has been the same for as long as I can remember).

Lately I have noticed that often when I (try to) visit my personal website (that I host myself) it won't show it. When I then check the DNS entry for somedomain.com it is NO longer my home IP address but ALWAYS some IP address that belongs to Amazon Australia (I live in New Zealand myself).

If I then do a 'Force Update' in Gargoyle it will soon be back to normal.

What I would like to know is WHAT is updating namecheap's DNS records!?

I have asked my ISP if it could be the case that every now and then I - for whatever reason - get assigned a different IP address. They have assured me that that is NOT the case and they certainly wouldn't be able to assign me an address that belongs to Amazon Australia.

I have asked namecheap if they could see WHO was causing the updates to their DNS records. They couldn't tell. They could see the records were indeed updated to the Amazon Australia IP address and then reverted back to my actual IP address. I have then changed the password that you need to update the Dynamic DNS record and changed it accordingly in Gargoyle. But again the DNS entry for somedomain.com would suddenly be replaced with some Amazon Australia IP address and then with my actual address again.

So I am beginning to think that MAYBE Gargoyle is for some reason sending false updates to namecheap with an Amazon Australia IP address. But that too strikes me as very odd!

I now wrote a little program (I am a software developer) that compares my IP address every minute to the DNS entry for somedomain.com, and will bark if they are not equal. I have been running it for the last half an hour and have already noticed 1 occurence where my IP address (that stayed the same) did NOT match the DNS entry anymore, this lasted for 3 minutes, then they were equal again.

Is there ANY way that I can get Gargoyle to log its Dynamic DNS activity so I can see if it's indeed Gargoyle sending false updates (not even triggered by an actual change in IP address)?

Again, the ONLY device knowing my Dynamic DNS password that I changed just a few days ago is my router running Gargoyle. So it has to be either Gargoyle or namecheap is falsely updating their own records before Gargoyle corrects them.

Any advice tips are very welcome. It's very annoying if I am at work with an open FTP connection to somedomain.com and that suddenly crashes because somedomain.com suddenly points no longer to my home server but to Amazon.

Thanks!

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: dyndns hacked?

Post by RomanHK »

Temporary Solution is here: viewtopic.php?f=6&t=12011#p53270

Looks like somebody hacked https://checkmyip.com/ and when someone uses DDNS, he directs it to a fraudulent site.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

Dr.R. Clavan
Posts: 12
Joined: Wed May 25, 2011 9:27 pm

Re: dyndns hacked?

Post by Dr.R. Clavan »

Thanks for that Roman. Can you confirm that Gargoyle uses checkmyip.com and that that is the reason Gargoyle thinks it needs to update the DNS record with a (false) IP address?

If I do the 0.0.0.0 checkmyip.com workaround, will the router have a backup service to check the ip with?

Thanks!

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: dyndns hacked?

Post by RomanHK »

Yes, another min. four detectors are used. Read the entire thread. There is a log of the addresses used and the @Lantis promise that if it takes a long time, it will remove the domain and will no longer appear in other builds.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

Dr.R. Clavan
Posts: 12
Joined: Wed May 25, 2011 9:27 pm

Re: dyndns hacked?

Post by Dr.R. Clavan »

Ah, that explains everything! Every time Gargoyle checked its IP address and randomly chose to use checkmyip.com it got the false IP address and updated the DNS records, the next check could have used another detector and correct itself again.

I could not understand the random behaviour of when my site was unreachable but it's all clear now. Adding the 0.0.0.0 line proved challenging as I had to install putty and was trying username admin instead of root. Then I had to remember how to use vi and add a lines etc. Got there eventually.

Thanks for your help and may the force be against those who hacked checkmyip.com.

Dr.R. Clavan
Posts: 12
Joined: Wed May 25, 2011 9:27 pm

Re: dyndns hacked?

Post by Dr.R. Clavan »

I have added

0.0.0.0 checkmyip.com

to the hosts file as suggested, and rebooted the router but now the DNS entry gets updated (when it randomly selects checkmyip.com) to 127.0.0.1. So that still causes my services to halt.

Any idea to fix this?

boldga
Posts: 22
Joined: Sat Sep 18, 2010 10:05 am

Re: dyndns hacked?

Post by boldga »

i have added 0.0.0.0 checkmyip.com to the hosts and rebooted.
it doesn't work.

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: dyndns hacked?

Post by RomanHK »

Dr.R. Clavan wrote:I have added

0.0.0.0 checkmyip.com

to the hosts file as suggested, and rebooted the router but now the DNS entry gets updated (when it randomly selects checkmyip.com) to 127.0.0.1. So that still causes my services to halt.

Any idea to fix this?
Yes, the DNS name will destroy it (not 127.0.0.1 but 0.0.0.0) and therefore the pages will not be available - it's a temporary solution to make the DDNS plugin work and I don't know better.

EDIT1: in other words:
It works just as if checkmyip.com is performing server maintenance and the server is temporarily down.

P.S. I have already modified the post for the less experienced through the GUI.

EDIT2:
I'm sorry, I tried to ping the router and I really got a positive answer, so fix #2 (viewtopic.php?f=6&t=12011&p=53270#p53270).
Last edited by RomanHK on Fri May 24, 2019 5:38 am, edited 2 times in total.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: dyndns hacked?

Post by RomanHK »

boldga wrote:i have added 0.0.0.0 checkmyip.com to the hosts and rebooted.
it doesn't work.
Must work, try this command:

Code: Select all

ping checkmyip.com
A negative answer should come.

EDIT:
I'm sorry, I tried to ping the router and I really got a positive answer, so fix #2 (viewtopic.php?f=6&t=12011&p=53270#p53270).
Router Output:

Code: Select all

root@Gargoyle:~# ping -c4 checkmyip.com
PING checkmyip.com (255.255.255.255): 56 data bytes

--- checkmyip.com ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@Gargoyle:~#
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: dyndns hacked?

Post by RomanHK »

Guys, I'm just human, so sorry for any trouble :oops: - post edited: viewtopic.php?f=6&t=12011#p53270
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

Post Reply