Quote from: jelv

Something is happening. Your name servers have been changed to:         ns.123-reg.co.uk         ns.hosteurope.com         ns2.123-reg.co.uk         ns2.hosteurope.com

Sorry Jelv - that was me, thinking that it may have been the problem as some of the websites are connected to 123-reg servers and some aren't.  This is a red herring though as both are affected.  It is the ncrac.com IP address 'A' record that appears to be the problem.  Just got to find where and how as no sign on the 123.reg management 😞 

Quote from: rhino666

Thanks Jelv and Bob I have been onto 123.reg who look after the nameserver management side of the websites I run.  The 'Cname' and 'A' records look as expected and there is no 'A' record with that ncrac.com IP address.

That's not what it looks like to me, whether I query the 123-reg authoritative servers *or* the hosteurope ones?

dig www.itdoctors.co.uk @ns.123-reg.co.uk
; <<>> DiG 9.3.4-P1.2 <<>> www.itdoctors.co.uk @ns.123-reg.co.uk
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5409
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.itdoctors.co.uk.           IN      A
;; ANSWER SECTION:
www.itdoctors.co.uk. ;   86400   IN      CNAME   clients.bilstone.co.uk.
www.itdoctors.co.uk. ;   86400   IN      A       83.142.229.122

Perhaps you could point 123-reg to this forum thread (it's viewable to anybody)?

I get the same result as Bob, using the same "dig" command here.
I'd just like to point out that you can give the "+trace" option to dig, which forces it to recurse through the authoritive servers starting at the root (or, where the is a choice, picking one of the authoritive servers). It helps save you manually following the chain of nameservers...

[root@amnesia ~]# dig www.itdoctors.co.uk +trace
; <<>> DiG 9.8.0-P4-RedHat-9.8.0-9.P4.fc15 <<>> www.itdoctors.co.uk +trace
;; global options: +cmd
.                       40755   IN      NS      e.root-servers.net.
.                       40755   IN      NS      j.root-servers.net.
.                       40755   IN      NS      h.root-servers.net.
.                       40755   IN      NS      b.root-servers.net.
.                       40755   IN      NS      i.root-servers.net.
.                       40755   IN      NS      d.root-servers.net.
.                       40755   IN      NS      g.root-servers.net.
.                       40755   IN      NS      k.root-servers.net.
.                       40755   IN      NS      a.root-servers.net.
.                       40755   IN      NS      c.root-servers.net.
.                       40755   IN      NS      l.root-servers.net.
.                       40755   IN      NS      f.root-servers.net.
.                       40755   IN      NS      m.root-servers.net.
;; Received 512 bytes from 192.168.0.10#53(192.168.0.10) in 70 ms
uk.                     172800  IN      NS      ns1.nic.uk.
uk.                     172800  IN      NS      ns2.nic.uk.
uk.                     172800  IN      NS      ns3.nic.uk.
uk.                     172800  IN      NS      ns4.nic.uk.
uk.                     172800  IN      NS      ns5.nic.uk.
uk.                     172800  IN      NS      ns6.nic.uk.
uk.                     172800  IN      NS      ns7.nic.uk.
uk.                     172800  IN      NS      nsa.nic.uk.
uk.                     172800  IN      NS      nsb.nic.uk.
uk.                     172800  IN      NS      nsc.nic.uk.
uk.                     172800  IN      NS      nsd.nic.uk.
;; Received 499 bytes from 198.41.0.4#53(198.41.0.4) in 168 ms
itdoctors.co.uk.        172800  IN      NS      ns2.123-reg.co.uk.
itdoctors.co.uk.        172800  IN      NS      ns.123-reg.co.uk.
;; Received 80 bytes from 195.66.240.130#53(195.66.240.130) in 48 ms
www.itdoctors.co.uk. ;   86400   IN      CNAME   clients.bilstone.co.uk.
www.itdoctors.co.uk. ;   86400   IN      A       83.142.229.122
;; Received 84 bytes from 92.51.159.40#53(92.51.159.40) in 32 ms

In this case, the last set of results came from 92.51.159.40 (ns.123-reg.co.uk).
Issuing the same command again does sometimes result in getting an answer from 212.67.202.2 (ns2.123-reg.co.uk), with the same result.

Good morning and it is good at the moment because I am hoping that the cause of my very frustrating problem has finally been found.
Some of my older websites still had a reference to the old servers, updated when we moved to new over two years ago.  I think 123-reg looks to the servers first so guessing that ncrac.com is a hosteurope client and their space has moved into where ours used to be.  I cannot check this as my Nominet WHOIS only covers UK stuff from the look of it.
I have updated all the servers, which is a pain on 123-reg as all the records then have to be re-added.  All seems fine at the moment, even when tested through Plusnets servers where  the problems occured.  Jelv really identified this at an early stage of this thread but believe me it was as clear as mud at this stage and the sequence of events made me think that someone had definately hacked my DNS somewhere.  I checked on google and by  coincidence a number of important websites have had similar DNS attacks recently.
Thank you all for your help - it is a huge relief to have resolved this problem.