Re: fwd: Re: [registrars] Re: panix.com hijacked
In message [EMAIL PROTECTED], william( at)elan.net writes: On Sun, 16 Jan 2005, Joe Maimon wrote: Thus justifying those who load their NS and corresponding NS's A records with nice long TTL Although this wasn't a problem in this case (hijacker did not appear to have been interested in controlling dns since it points to default domain registration and under construction page), but long TTL trick could be used by hijackers - i.e. he gets some very popular domain, changes dns to the one he controls and purposely sets long TTL. Now even if registrars are able to act quickly and change registration back, those who cached new dns data would keep it for quite long in their cache. Many versions of bind have a parameter that caps TTLs to some rational maximum value -- by default in bind9, 3 hours. Unfortunately, the documentation suggests that the purpose of the max-ncache-ttl parameter is to let you increase the cap, in order to improve performance and decrease network traffic. The suggestion that someone made the other day -- that the TTL on zones be ramped up gradually by the registries after creation or transfer -- is, I think, a good one. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: [registrars] Re: panix.com hijacked
On 17 Jan 2005, at 13:08, Steven M. Bellovin wrote: The suggestion that someone made the other day -- that the TTL on zones be ramped up gradually by the registries after creation or transfer -- is, I think, a good one. Records in the control of the registry are the NS records in the parent zone (the com zone in this case). Those are non-authoritative and are going to get replaced in caches with data from the authority servers for the delegated zones (ns[12].access.net, in this case), once those servers are reached. So the TTLs of records in the registry-operated zones will likely have no impact on how long NS records for delegated zones remain in caches. If panix (or anybody else) wants to increase the time that their NS records stay in caches, the way to do it is to increase the TTLs on the authoritative NS records in their own zones. For panix.com, these appear to be set to 72 hours (the non-authoritative NS records for PANIX.COM in the COM zone have 48-hour TTLs). I will now sit back wait for Mark Andrews to appear and flame me to death for my inadequate understanding of the DNS. This is, of course, a subtle ploy to help reduce my Ontario winter heating costs, and to avoid having to spend the rest of the afternoon chipping ice off the driveway with a shovel. Joe
Re: [registrars] Re: panix.com hijacked
At 13:54 -0500 1/17/05, Joe Abley wrote: So the TTLs of records in the registry-operated zones will likely have no impact on how long NS records for delegated zones remain in caches. If panix (or anybody else) wants to increase the time that their NS records stay in caches, the way to do it is to increase the TTLs on the authoritative NS records in their own zones. For panix.com, these appear to be set to 72 hours (the non-authoritative NS records for PANIX.COM in the COM zone have 48-hour TTLs). That's provided that the panix.com authoritative NS's are seen in the cache. Not all name servers return the authoritative NS's in an answer. (BIND has an option 'minimal-responses yes_or_no;' that control this. The default is no, but I know of one yes user.) The registrant's copy of the NS set is more credible (RFC 2181 speak) than the registry's copy, so if a cache sees both, the cache tosses the registry copy. But there's no guarantee that the cache will see both. Usually it does though. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar A noble spirit embiggens the smallest man. - Jebediah Springfield
Re: fwd: Re: [registrars] Re: panix.com hijacked
Steven M. Bellovin wrote: In message [EMAIL PROTECTED], william( at)elan.net writes: On Sun, 16 Jan 2005, Joe Maimon wrote: Thus justifying those who load their NS and corresponding NS's A records with nice long TTL Although this wasn't a problem in this case (hijacker did not appear to have been interested in controlling dns since it points to default domain registration and under construction page), but long TTL trick could be used by hijackers - i.e. he gets some very popular domain, changes dns to the one he controls and purposely sets long TTL. Now even if registrars are able to act quickly and change registration back, those who cached new dns data would keep it for quite long in their cache. Many versions of bind have a parameter that caps TTLs to some rational maximum value -- by default in bind9, 3 hours. Unfortunately, the documentation suggests that the purpose of the max-ncache-ttl parameter is to let you increase the cap, in order to improve performance and decrease network traffic. The suggestion that someone made the other day -- that the TTL on zones be ramped up gradually by the registries after creation or transfer -- is, I think, a good one. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb From bv9ARM *max-ncache-ttl* To reduce network traffic and increase performance the server stores negative answers. *max-ncache-ttl* is used to set a maximum retention time for these answers in the server in seconds. The default *max-ncache-ttl* is 10800 seconds (3 hours). *max-ncache-ttl* cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value. *max-cache-ttl* *max-cache-ttl* sets the maximum time for which the server will cache ordinary (positive) answers. The default is one week (7 days). So loading TTL's to longer than 7 days will have diminishing returns. Is this really such a good thing? Joe
Re: panix.com hijacked (VeriSign refuses to help)
Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action? Think of what we'd do about a larger ISP, or the Well, or really any serious financial target. Think of the damage from harvesting logins and mail passwords of panix users. === Does somebody have a fast DNS server that can AXFR the records from those 2 name servers, then fix the panix.com entries? Are people willing to announce some replacement servers as /32 BGP? Sort of an emergency anycast? === Alternatively, are people willing to block those name servers and/or the entire blocks they are located in, to prevent the distribution of the false panix.com addresses? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: panix.com hijacked (VeriSign refuses to help)
I addition, there is a good rule for such situations: - first, return everything to _previous_ state; - having it fixed in previous state, allow time for laywers, disputes and so on to resolve a problem. It makes VeriSign position very strange (of course, it is dumb clueless behemot as it was all the time around) - instead of saying _OK, let's return last transactions and then you can object this change_, they just step out. Problem is much more serious than just one stolen domain - it shows 100% that VeriSign is not able to manage domain system properly. What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days? - Original Message - From: William Allen Simpson [EMAIL PROTECTED] To: nanog@merit.edu Sent: Sunday, January 16, 2005 12:38 AM Subject: Re: panix.com hijacked (VeriSign refuses to help) Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action? Think of what we'd do about a larger ISP, or the Well, or really any serious financial target. Think of the damage from harvesting logins and mail passwords of panix users. === Does somebody have a fast DNS server that can AXFR the records from those 2 name servers, then fix the panix.com entries? Are people willing to announce some replacement servers as /32 BGP? Sort of an emergency anycast? === Alternatively, are people willing to block those name servers and/or the entire blocks they are located in, to prevent the distribution of the false panix.com addresses? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: panix.com hijacked (VeriSign refuses to help)
- Original Message - From: Alexei Roudnev [EMAIL PROTECTED] To: William Allen Simpson [EMAIL PROTECTED]; nanog@merit.edu Sent: Sunday, January 16, 2005 4:07 AM Subject: Re: panix.com hijacked (VeriSign refuses to help) I addition, there is a good rule for such situations: - first, return everything to _previous_ state; - having it fixed in previous state, allow time for laywers, disputes and so on to resolve a problem. agreed. but then proverbially, common sense isn't. What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days? with due respect to panix (i knew of panix before i ever knew of aol, even living in europe), i imagine another bigger 'behemoth', as you so deftly put it, has a better way of liaising with verisign than you, me or panix. -p --- paul galynin
Re: panix.com hijacked
Hi! So let's see.. the users will see this when they log into shell.panix.net (since shell.panix.com is borked).. Somehow, that doesn't seem to help much.. and the hijackers could be, potentially, running a box pretending to be shell.panix.com, gathering userids and passwds :( Or put up a pop server, thats more likely used by more of their customers anyway. The other question was a nice one also, did they hve REGISTER-LOCK set for the domain? Bye, Raymond
RE: seed resolvers? Re: panix.com hijacked (VeriSign refuses to help)
As much as it pains me to say, I'm sure there is a little difference when it
comes to some of the big domains.
1. It doesn't take any rocket scientist to sit back and say U... I
really don't think this is a legit move without a lot of thinking!
2. If a lawyer for AOL or MS or some really big company sent a letter
saying something about if you don't change this back in the next 30 seconds
or we will destroy your company, it would be more believable!
Unfortunately, size does matter. :)
Scott
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Petra Zeidler
Sent: Sunday, January 16, 2005 6:28 AM
To: nanog@merit.edu
Subject: seed resolvers? Re: panix.com hijacked (VeriSign refuses to help)
Hi,
Thus wrote Alexei Roudnev ([EMAIL PROTECTED]):
What happen if someone stole 'aol.com'domain tomorrow? Or
'microsoft.com'?
How much damage will be done until this sleeping behemots wake up, set
up a meeting (in Tuesday I believe - because Monday is a holiday),
make any decision, open a toicket, pass thru change control and
restore domain? 5 days?
I remember that in a similar case in .de several larger ISPs put the
previous ('correct') zone on their resolvers. Would
a) people here feel that is an appropriate measure for this case
b) do it on their resolvers
c) the panix.com people want that to happen in the first place?
regards,
Petra Zeidler
Re: panix.com hijacked (VeriSign refuses to help)
Oki all, Its dawn in Maine, the caffine delivery system has only just started, but I'll comment on the overnight. You're welcome [EMAIL PROTECTED] If you'll send me the cell phone number for the MIT managment I will call wearing my registrar hat and inform whoever I end up speaking with that Bruce needs to call me urgently, on Registrar Constituency business. Next, put a call into the Washingtom Post. They lost the use of the name washpost.com which all their internal email used, to due to expiry, so their internal mail went dark for several hours. This was haha funny during the primary season (Feb 6). If they don't get it try the NYTimes. Put the problem on record. There is an elephant in the room. The elephant is that the existing regime is organized around protecting the IPR lobby from boogiemen of their own invention. They invented the theory that trademark.tld (and trademark.co.cctld) existence dilutes the value of trademark, hence names-are-marks, bringing many happy dollars (10^^6 buys) into the registrar/registry system ($29-or-less/$6, resp., per gtld and some cctlds), and retarding new gTLD introductions, as each costs the IPR interests an additional $35 million annually. To solve their division of spoils problem, is united.com UAL or is it UA?, we had DRPs, which is now a UDRP, and more DRPs for lots of cctlds. These [U]DRPs take many,many,many,many units of 24x7. They were invented for the happy IPR campers, who care about _title_, not _function_. If the net went dark that would be fine with them to, so long as the right owners owned the right names. Restated, there is no applicable (as in useful for a 24x7 no downtime claimant) law in the ICANN jurisdiction. And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of you). In case it isn't obvious, the your own damn fault refers to a much larger class of you than Alexis Rosen. [Oh, the same happy campers are why :43 is broken. They want perfect data at no cost and w/o restriction. Registrars don't want slamming, today's owie, and registrants don't want spam (which some ISPs do), so the whole :43 issue is a trainwreck of non-operational interests overriding operational interests. Registrars would be happy to pump :43 data to operators, if we could manage the abuse, instead we get knuckleheads who insist that spam would be solved forever if ...] There is a fundamental choice of jurisdictions question. Is ICANN the correct venue for ajudication, or is there another venue? This is what recourse to the ask a real person mechanism assumes, that talking to a human being is the better choice. Bill made this comment: Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action? Think of what we'd do about a larger ISP, or the Well, or really any serious financial target. Think of the damage from harvesting logins and mail passwords of panix users. You (collectively) are another venue. When the SiteFinder patch was broadly adopted to work around a change made at one of the registries, you (collectively) were replacing ICANN as the regulatory body. ICANN took weeks to arive at a conclusion about that change, then endorsed that patch to the deployed DNS, while depricating incoherence in the DNS. [I spent 5 minutes at the Rome Registrar Constituency meeting chewing Vint Cerf and Paul Twomey in front of about 100 registrars and back benchers for taking many,many,many,many units of 24x7 to arive at the conclusion that breakage, or surprise in .com was not a good thing.] There is a stability of the internet issue. An ISP's user names and their passwords are compromised by VGRS, MIT, DOTSTER, and PANIX all following the controlling authority -- the ICANN disputed transfer process. It isn't MCI or AOL or ... and if it were a bank it might not be Bank of America ... and if it were a newspaper it might not be the WaPo. But if size defines the class of protected businesses under the controlling jurisdiction [1], then Panix's core problem is that it isn't AOL or MSN or the ISP side of a RBOC. I'd be nervous if I were Alexis. Not enough people are running their cups on the bars to get the attention of the wardens. Eric registrar_hat=on/ [1] In the US FCC space, the 3-2 decision mid-last month on CLEC access to unbundled UNE is a size defines the class
Re: panix.com hijacked (VeriSign refuses to help)
On Sun, 16 Jan 2005, Eric Brunner-Williams in Portland Maine wrote: One could almost think this hijack was timed to the release of the ICANN Requests Public Comments on Experiences with Inter-Registrar Transfer Policy from Jan 12: http://www.icann.org/announcements/announcement-12jan05.htm -Hank Oki all, Its dawn in Maine, the caffine delivery system has only just started, but I'll comment on the overnight. You're welcome [EMAIL PROTECTED] If you'll send me the cell phone number for the MIT managment I will call wearing my registrar hat and inform whoever I end up speaking with that Bruce needs to call me urgently, on Registrar Constituency business. Next, put a call into the Washingtom Post. They lost the use of the name washpost.com which all their internal email used, to due to expiry, so their internal mail went dark for several hours. This was haha funny during the primary season (Feb 6). If they don't get it try the NYTimes. Put the problem on record. There is an elephant in the room. The elephant is that the existing regime is organized around protecting the IPR lobby from boogiemen of their own invention. They invented the theory that trademark.tld (and trademark.co.cctld) existence dilutes the value of trademark, hence names-are-marks, bringing many happy dollars (10^^6 buys) into the registrar/registry system ($29-or-less/$6, resp., per gtld and some cctlds), and retarding new gTLD introductions, as each costs the IPR interests an additional $35 million annually. To solve their division of spoils problem, is united.com UAL or is it UA?, we had DRPs, which is now a UDRP, and more DRPs for lots of cctlds. These [U]DRPs take many,many,many,many units of 24x7. They were invented for the happy IPR campers, who care about _title_, not _function_. If the net went dark that would be fine with them to, so long as the right owners owned the right names. Restated, there is no applicable (as in useful for a 24x7 no downtime claimant) law in the ICANN jurisdiction. And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of you). In case it isn't obvious, the your own damn fault refers to a much larger class of you than Alexis Rosen. [Oh, the same happy campers are why :43 is broken. They want perfect data at no cost and w/o restriction. Registrars don't want slamming, today's owie, and registrants don't want spam (which some ISPs do), so the whole :43 issue is a trainwreck of non-operational interests overriding operational interests. Registrars would be happy to pump :43 data to operators, if we could manage the abuse, instead we get knuckleheads who insist that spam would be solved forever if ...] There is a fundamental choice of jurisdictions question. Is ICANN the correct venue for ajudication, or is there another venue? This is what recourse to the ask a real person mechanism assumes, that talking to a human being is the better choice. Bill made this comment: Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action? Think of what we'd do about a larger ISP, or the Well, or really any serious financial target. Think of the damage from harvesting logins and mail passwords of panix users. You (collectively) are another venue. When the SiteFinder patch was broadly adopted to work around a change made at one of the registries, you (collectively) were replacing ICANN as the regulatory body. ICANN took weeks to arive at a conclusion about that change, then endorsed that patch to the deployed DNS, while depricating incoherence in the DNS. [I spent 5 minutes at the Rome Registrar Constituency meeting chewing Vint Cerf and Paul Twomey in front of about 100 registrars and back benchers for taking many,many,many,many units of 24x7 to arive at the conclusion that breakage, or surprise in .com was not a good thing.] There is a stability of the internet issue. An ISP's user names and their passwords are compromised by VGRS, MIT, DOTSTER, and PANIX all following the controlling authority -- the ICANN disputed transfer process. It isn't MCI or AOL or ... and if it were a bank it might not be Bank of America ... and if it were a newspaper it might not be the WaPo. But if size defines the class of protected businesses under the
Re: panix.com hijacked (VeriSign refuses to help)
I addition, there is a good rule for such situations: - first, return everything to _previous_ state; - having it fixed in previous state, allow time for laywers, disputes and so on to resolve a problem. agreed. but then proverbially, common sense isn't. What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days? with due respect to panix (i knew of panix before i ever knew of aol, even living in europe), i imagine another bigger 'behemoth', as you so deftly put it, has a better way of liaising with verisign than you, me or panix. There is _rollback to the first state in case of any conflicts_ common sense rule, just to prevent liaising. If you purchase domain or transferred it, and I suspended change for a week, it may never make big harm to you. -p --- paul galynin
fwd: Re: [registrars] Re: panix.com hijacked
Oki all, Delivery of RC mail to me is fairly desultory. Apparently there is an earlier thread. Post-Rome the very purpose of the RC seems to me to be doubtful (advocacy for registrars other than NetSol+4), and post-Elana the process of the RC left me disinterested. I'm particularly enamored by Ross' notion of what is going on on NANOG. Cheers, Eric --- Forwarded Message Return-Path: [EMAIL PROTECTED] Delivery-Date: Sun Jan 16 11:14:04 2005 Return-Path: [EMAIL PROTECTED] Received: from greenriver.icann.org (greenriver.icann.org [192.0.35.121]) by nic-naa.net (8.13.1/8.13.1) with ESMTP id j0GBDxgx036293 for [EMAIL PROTECTED]; Sun, 16 Jan 2005 11:14:04 GMT (envelope-from [EMAIL PROTECTED]) Received: from greenriver.icann.org (greenriver [127.0.0.1]) by greenriver.icann.org (8.12.11/8.12.11) with ESMTP id j0GEx1Qg006202; Sun, 16 Jan 2005 06:59:01 -0800 Received: (from [EMAIL PROTECTED]) by greenriver.icann.org (8.12.11/8.12.11/Submit) id j0GEx0hJ006201; Sun, 16 Jan 2005 06:59:01 -0800 X-Authentication-Warning: greenriver.icann.org: majordomo set sender to [EMAIL PROTECTED] using -f Received: from pechora.icann.org (pechora.icann.org [192.0.34.35]) by greenriver.icann.org (8.12.11/8.12.11) with ESMTP id j0GEwxrw006198 for [EMAIL PROTECTED]; Sun, 16 Jan 2005 06:59:00 -0800 Received: from tomts16-srv.bellnexxia.net (tomts16-srv.bellnexxia.net [209.226.175.4]) by pechora.icann.org (8.11.6/8.11.6) with ESMTP id j0GEwBA16293 for [EMAIL PROTECTED]; Sun, 16 Jan 2005 06:58:11 -0800 Received: from [192.168.2.101] ([67.71.54.206]) by tomts16-srv.bellnexxia.net (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) with ESMTP id [EMAIL PROTECTED]; Sun, 16 Jan 2005 09:58:57 -0500 Message-ID: [EMAIL PROTECTED] Date: Sun, 16 Jan 2005 09:57:03 -0500 From: Ross Wm. Rader [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Organization: Tucows Inc. User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Jeftovic [EMAIL PROTECTED] CC: Registrars Constituency [EMAIL PROTECTED] Subject: Re: [registrars] Re: panix.com hijacked References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: [EMAIL PROTECTED] Precedence: bulk On 1/16/2005 12:29 AM Mark Jeftovic noted that: There's a thread on NANOG to the effect that panix.com has been hijacked from Dotster over to MelbourneIT and it has pretty well taken panix.com and its customers offline, see http://www.panix.net/ I don't see what you are looking at - .net and .com point to the same place with no indication of anything awry...of course, I'm late to the game and the DNS probably tells a different story... Looks like this may be among the first high-profile unauthorized transfer under the new transfer policy. Looks like a bunch of guys on the NANOG list engaging in a lot of conjecture without the benefit of a lot of facts. Maybe there needs to some sort of emergency reversion where at least the nameservers can be rolled back immediately while the contesting parties sort it out. Might be interesting - what criteria would trigger the process? - -- Regards, -rwr In the modern world the intelligence of public opinion is the one indispensable condition for social progress. - Charles W. Eliot (1834 - 1926) --- End of Forwarded Message
Re: fwd: Re: [registrars] Re: panix.com hijacked
Is there anything that us folks out in the peanut gallery can do to help, other than locally serving the panix.net zone for panix.com? -- -=[L]=-
Re: fwd: Re: [registrars] Re: panix.com hijacked
On 16.01 10:25, Lou Katz wrote: Is there anything that us folks out in the peanut gallery can do to help, other than locally serving the panix.net zone for panix.com? Avoid being caught by an IPR lawyer while helping; ;-) Then organise operators to insert operational clue into the various policy processes. Daniel
Re: fwd: Re: [registrars] Re: panix.com hijacked
Don't panic ? ;) Lou Katz wrote: Is there anything that us folks out in the peanut gallery can do to help, other than locally serving the panix.net zone for panix.com?
Re: fwd: Re: [registrars] Re: panix.com hijacked
On Sun, Jan 16, 2005 at 07:21:55PM +0100, Daniel Karrenberg wrote: On 16.01 12:46, William Allen Simpson wrote: --- Forwarded Message From: Ross Wm. Rader [EMAIL PROTECTED] I don't see what you are looking at - .net and .com point to the same place with no indication of anything awry...of course, I'm late to the game and the DNS probably tells a different story... This fellow is pretty confused, as from here (Michigan via Merit) the DNS has pointed to different places since yesterday. A quick survey of some caching servers in my neighborhood reveals that some of them return old/correct A RRs for panix.com at this time. presumably they have cached ns records from before the switch in the com tld zone. Following the DNS delegation chain from the root name servers provides new/hijacked answers at this time. So I assume some operators of caching servers now choose to provide data that is inconsistent with the authoritative data in the DNS tree. So depending on where you ask, your answer may vary. they're not choosing to do so, they're probably operating ~normally. try asking them for the ns records for panix.com. the age should give you an idea of how long ago they were fetched from *.gtld-servers.net. they probably got them before the switch, they'll time out soon enough, and then they'll restart from the wrong servers. -- |- CODE WARRIOR -| [EMAIL PROTECTED] * ah! i see you have the internet [EMAIL PROTECTED] (Andrew Brown)that goes *ping*! [EMAIL PROTECTED] * information is power -- share the wealth.
Re: fwd: Re: [registrars] Re: panix.com hijacked
On 16 Jan 2005 at 10:25, Lou Katz wrote: Is there anything that us folks out in the peanut gallery can do to help, other than locally serving the panix.net zone for panix.com? -- -=[L]=- actually this is amazingly helpful. in fact encouraging more ISPs to do the same thing is, IMHO, the best way to route around hierarchical problems like this. imagine . . . The Association of Trustworthy ISPs these ISPs watch out for each other. in the case of a member's domain being hijacked all other members serve the correct zone info. this provides for a decentralized solution to the problem. this association only admits members based on strict criterion and drops members immediately upon discovery of unethical behavior. as more ISPs join the association end users will look for the association's seal of approval when shopping for an ISP. peace
Re: fwd: Re: [registrars] Re: panix.com hijacked
Andrew Brown wrote: On Sun, Jan 16, 2005 at 07:21:55PM +0100, Daniel Karrenberg wrote: On 16.01 12:46, William Allen Simpson wrote: --- Forwarded Message From: Ross Wm. Rader [EMAIL PROTECTED] I don't see what you are looking at - .net and .com point to the same place with no indication of anything awry...of course, I'm late to the game and the DNS probably tells a different story... This fellow is pretty confused, as from here (Michigan via Merit) the DNS has pointed to different places since yesterday. A quick survey of some caching servers in my neighborhood reveals that some of them return old/correct A RRs for panix.com at this time. presumably they have cached ns records from before the switch in the com tld zone. Thus justifying those who load their NS and corresponding NS's A records with nice long TTL At least those whose caches' your still in will still talk to you after your registrar screws you. (OT Limiting named cache size could have an adverse effect for people hoping to cash into this inusurance. Shouldnt cache limiting kill low priority records such as A's which do not correspond to cached NS first )
Re: panix.com hijacked (VeriSign refuses to help)
On Sun, 16 Jan 2005, Alexei Roudnev wrote: What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days? AOL has gamed the system in the past to take over domainnames they wanted which were inconviently registered by someone else by sending in a e-mail to transfer the name to AOL. Despite NSI's assurances, the domain was changed to AOL in spite of the original registrant's objection. NSI said there was nothing they could do. http://www.internetnews.com/bus-news/article.php/3_143441 On the other hand, when someone made an unauthorized change to AOL's domain information, NSI reversed the change in a few hours. http://news.com.com/2100-1023-216813.html?tag=bplst Other than Panix having a constinuency, unauthorized domain changes is a old problem the registrar/registry haven't been able to solve in a decade.
Re: panix.com hijacked
actually godaddy has been quite reponsive for me @ 3am before. Eric Brunner-Williams in Portland Maine wrote: Howdy Perry, Alexis Rosen of Panix was on the phone earlier today with the company attorney for melbourneit -- reputedly he was informed that even if the police called, they would not do anything about the problem until Monday their time. (a) I don't know MIT's attorney, and (b) I wouldn't ever call him or her when I could reach someone I know, and (c) what would you expect an attorney to say? Alexis is a bit on the upset side, naturally -- his company is in serious trouble because of very obvious fraud, and waiting a few days isn't really something he can afford to do. (If you look at the whois records now in place for panix.com they're pretty clearly the result of fraudulent activity. There is a pretty clear attempt there to maximally obscure who has stolen the domain name -- this is clearly not an innocent mistake.) Yeah, but, home truths. There are registrars who will get out of bed at night for a customer, and registrars who could give a shit if hell froze. Just like ISPs and LEOs, neh? Picking a registrar with a market share in the top 10 means that you get 1/share's worth of attention, which means 1/1488700 of Dotster's attention (using 1/15 daily market share graph). Now, was that at the NetSol $35/yr price point for customer care, or the GoDaddy $6.95/yr price point for customer care. I suppose everyone thinks that it (for some value of it) can't happen to them, and that if it does, a wicked small amount of money will still do more than the oil that lights the lamps at Hanukkah, because bad acts are rare and all the dimes pile up into a shared fate insurance fund. Well, now I'm really going to bed. Eric -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- Grab the tape CDTT (Certified Duct Tape Technician) Linux user #322099 Machines: 206822 256638 276825 http://counter.li.org/
Re: fwd: Re: [registrars] Re: panix.com hijacked
On Sun, 16 Jan 2005, Joe Maimon wrote: Thus justifying those who load their NS and corresponding NS's A records with nice long TTL Although this wasn't a problem in this case (hijacker did not appear to have been interested in controlling dns since it points to default domain registration and under construction page), but long TTL trick could be used by hijackers - i.e. he gets some very popular domain, changes dns to the one he controls and purposely sets long TTL. Now even if registrars are able to act quickly and change registration back, those who cached new dns data would keep it for quite long in their cache. P.S. Just in case I chose not to send this info until panix.com had been restored, but we really do need to deal with how it occurred in the first place - even short term damage is bad so we need to have policies at ICANN that do no allow unauthorized transfers or else all domains can be LOCKED by default by registrars which effectively does the same. -- William Leibzon Elan Networks [EMAIL PROTECTED]
panix.com hijacked
panix.com has apparently been hijacked. It's now associated with a different registrar -- melbourneit instead of dotster -- and a different owner. Can anyone suggest appropriate people to contact to try to get this straightened out? --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: panix.com hijacked
Once upon a time, Steven M. Bellovin [EMAIL PROTECTED] said: panix.com has apparently been hijacked. It's now associated with a different registrar -- melbourneit instead of dotster -- and a different owner. Can anyone suggest appropriate people to contact to try to get this straightened out? Good luck dealing with melbourneit.com; that's the place where domains go to die. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: panix.com hijacked
On Sat, 15 Jan 2005, Chris Adams wrote: Once upon a time, Steven M. Bellovin [EMAIL PROTECTED] said: panix.com has apparently been hijacked. It's now associated with a different registrar -- melbourneit instead of dotster -- and a different owner. Can anyone suggest appropriate people to contact to try to get this straightened out? Good luck dealing with melbourneit.com; that's the place where domains go to die. I originally replied offlist, but... Under the new ICANN transfer policy, this will most likely be reversed if its shown to be an improper transfer. You need to bring Dotster into this and they need to invoke a transfer dispute under the new policy. MelbourneIT needs to demonstrate a proper FOA (Form of Authorization) to have initiated the transfer and if its found to be invalid the domain will be re-instated and Melbourne-IT fined. -mark -- Mark Jeftovic [EMAIL PROTECTED] Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
Re: panix.com hijacked
Mark Jeftovic [EMAIL PROTECTED] writes: Once upon a time, Steven M. Bellovin [EMAIL PROTECTED] said: panix.com has apparently been hijacked. It's now associated with a different registrar -- melbourneit instead of dotster -- and a different owner. Can anyone suggest appropriate people to contact to try to get this straightened out? Good luck dealing with melbourneit.com; that's the place where domains go to die. I originally replied offlist, but... Under the new ICANN transfer policy, this will most likely be reversed if its shown to be an improper transfer. You need to bring Dotster into this and they need to invoke a transfer dispute under the new policy. Dotster isn't in a position to do anything. They don't show the domain as being transfered. Someone managed to hack the system. They're pretty upset by the situation, too. The membourneit.com folks conveniently refuse to do anything over the weekend. The bad guys struck around midnight Saturday, Australian time, so as to make the damage as bad as possible. Panix is highly screwed by this -- their users are all off the air, and they can't really wait for an appeals process to complete in order to get everything back together again. Perry
Re: panix.com hijacked
On Sat, Jan 15, 2005 at 10:27:31PM -0500, Steven M. Bellovin wrote: panix.com has apparently been hijacked. It's now associated with a different registrar -- melbourneit instead of dotster -- and a different owner. Can anyone suggest appropriate people to contact to try to get this straightened out? --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb calls have been initiated. --bill
Re: panix.com hijacked
On Sat, 15 Jan 2005, Mark Jeftovic wrote: Once upon a time, Steven M. Bellovin [EMAIL PROTECTED] said: panix.com has apparently been hijacked. It's now associated with a different registrar -- melbourneit instead of dotster -- and a different owner. Can anyone suggest appropriate people to contact to try to get this straightened out? Good luck dealing with melbourneit.com; that's the place where domains go to die. I originally replied offlist, but... Under the new ICANN transfer policy, this will most likely be reversed if its shown to be an improper transfer. You need to bring Dotster into this and they need to invoke a transfer dispute under the new policy. The problem is that during that time panix and its users have suffered serious losses. They should never have allowed the transfer in the first place without authorization, so new ICANN policy is a problem, not a solution. MelbourneIT needs to demonstrate a proper FOA (Form of Authorization) to have initiated the transfer and if its found to be invalid the domain will be re-instated and Melbourne-IT fined. That means at least 24 hours for initial investigation and it likely will not happen until Monday (bad guys do these sort of things on weekends for a reason ...) and they probably will not act until Monday evening or longer (and that is at the same time when Verisign now allows rapid updates to zone file and could fix it very quickly). If I were Panix, I would get lawyers to draft and fax a nastygram letter to MelburneIT and somewhat similar letter to Verisign warning them of the liabilities involved in being accomplices to such a such a fraudulent and illegal actions and saying that every hour the situation is not fixed Panix losses continue to increase and somebody would have to pay, etc... But more important would be to actually call Verisign (their NOC) and complain loud and clear - if I remember when something like this happened about 2-3 years ago to another bix company they fixed it in 12 hours. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: panix.com hijacked
I've forwared to Bruce Tonkin, who I know personally, at MIT, and Cliff Page, who I don't know as well, at Dotster, Steve's note. These are the RC reps for each registrar.
Re: panix.com hijacked
Once upon a time, Robert Kryger [EMAIL PROTECTED] said: On Sat, 15 Jan 2005, Chris Adams wrote: Good luck dealing with melbourneit.com; that's the place where domains go to die. Can you be a little more specific? You imply that you have experience or anecdotes about this outfit and this sort of situation. Not exactly this sort of situation, no. I do know that we've had hosting customers that have had domains with melbourneit.com as the registrar that they were unable to ever transfer to another registrar (despite emails, faxes, and phone calls; IIRC one customer tried for most of a year to transfer a domain to another registrar or at least get the nameservers changed without success). -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: panix.com hijacked
If I were Panix ... Free advice. Bruce, Cliff and Chuck are people. Yes, even Chuck is a people. You want prompt service, you ask nice and you ask the right people and you don't assume there are facts not in evidence, like errors or malfeasence, when you could be solving the problem, before the facts could be in evidence. My phone isn't going to ring, so I'm going to bed. Eric registrar_hat=off/
Re: panix.com hijacked
In message [EMAIL PROTECTED], Eric Brunner-Williams in Portland Maine writes: If I were Panix ... Free advice. Bruce, Cliff and Chuck are people. Yes, even Chuck is a people. You want prompt service, you ask nice and you ask the right people and you don't assume there are facts not in evidence, like errors or malfeasence, when you could be solving the problem, before the facts could be in evidence. Agreed. At the moment, we don't know all the details of what happened; what's important is for Panix to get back on the air. We can sort out the blame later, when we have all the facts. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: panix.com hijacked
Eric Brunner-Williams in Portland Maine [EMAIL PROTECTED] writes: If I were Panix ... Free advice. Bruce, Cliff and Chuck are people. Yes, even Chuck is a people. You want prompt service, you ask nice and you ask the right people and you don't assume there are facts not in evidence, like errors or malfeasence, when you could be solving the problem, before the facts could be in evidence. Alexis Rosen of Panix was on the phone earlier today with the company attorney for melbourneit -- reputedly he was informed that even if the police called, they would not do anything about the problem until Monday their time. Alexis is a bit on the upset side, naturally -- his company is in serious trouble because of very obvious fraud, and waiting a few days isn't really something he can afford to do. (If you look at the whois records now in place for panix.com they're pretty clearly the result of fraudulent activity. There is a pretty clear attempt there to maximally obscure who has stolen the domain name -- this is clearly not an innocent mistake.) Perry
Re: panix.com hijacked
Howdy Perry, Alexis Rosen of Panix was on the phone earlier today with the company attorney for melbourneit -- reputedly he was informed that even if the police called, they would not do anything about the problem until Monday their time. (a) I don't know MIT's attorney, and (b) I wouldn't ever call him or her when I could reach someone I know, and (c) what would you expect an attorney to say? Alexis is a bit on the upset side, naturally -- his company is in serious trouble because of very obvious fraud, and waiting a few days isn't really something he can afford to do. (If you look at the whois records now in place for panix.com they're pretty clearly the result of fraudulent activity. There is a pretty clear attempt there to maximally obscure who has stolen the domain name -- this is clearly not an innocent mistake.) Yeah, but, home truths. There are registrars who will get out of bed at night for a customer, and registrars who could give a shit if hell froze. Just like ISPs and LEOs, neh? Picking a registrar with a market share in the top 10 means that you get 1/share's worth of attention, which means 1/1488700 of Dotster's attention (using 1/15 daily market share graph). Now, was that at the NetSol $35/yr price point for customer care, or the GoDaddy $6.95/yr price point for customer care. I suppose everyone thinks that it (for some value of it) can't happen to them, and that if it does, a wicked small amount of money will still do more than the oil that lights the lamps at Hanukkah, because bad acts are rare and all the dimes pile up into a shared fate insurance fund. Well, now I'm really going to bed. Eric
Re: panix.com hijacked
On Sat, 15 Jan 2005, Steven M. Bellovin wrote: MelbourneIT needs to demonstrate a proper FOA (Form of Authorization) to have initiated the transfer and if its found to be invalid the domain will be re-instated and Melbourne-IT fined. Thanks. I'm told that dotster says they have no record of anything resembling this request Anyone happen to know if panix.com had their registrar-lock set when this happened? -mark -- Mark Jeftovic [EMAIL PROTECTED] Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
Re: panix.com hijacked
On Sat, 15 Jan 2005 22:05:47 -0600 Chris Adams [EMAIL PROTECTED] wrote: I do know that we've had hosting customers that have had domains with melbourneit.com as the registrar that they were unable to ever transfer to another registrar (despite emails, faxes, and phone calls; IIRC one customer tried for most of a year to transfer a domain to another registrar or at least get the nameservers changed without success). We have had a comparable experience and now, on checking the DNS for the hijacked panix domain, I see name-servers similar to those I noted on that previous occasion. Known under various names that infer a UK connection, (such as Fibranet Services Ltd/freeparking.co.uk) but in fact seem to be Activebytes Software of 2530 Channin Drive Wilmington Delaware, with servers routed via Koallo Inc in Canada! So far as we were able to determine, there was no actual UK presence. ns1.ukdnsservers.co.uk has address 142.46.200.67 ns2.ukdnsservers.co.uk has address 207.61.90.196 ns3.ukdnsservers.co.uk has address 142.46.200.68 ns4.ukdnsservers.co.uk has address 207.61.90.197 MelbourneIT appear to have a U.S. Office near San Francisco: 2200 Powell Street, Sixth Floor, Suite 690, Emeryville CA 94608 which would be slightly more accessible for service of writs, etc ... -- Richard Cox
Re: panix.com hijacked
On Sun, 16 Jan 2005 01:32:46 EST, Henry Yen said: from panix shell hosts motd: . panix.net usable as panix.com (marcotte) Sat Jan 15 10:44:57 2005 So let's see.. the users will see this when they log into shell.panix.net (since shell.panix.com is borked).. Somehow, that doesn't seem to help much.. Not that there's any *better* solution, other than changing the top level of the phone tree to say: Hi, we're out with baseball bats looking for the guys who broke panix.com. In the meantime, you can use 'panix.net' as a temporary solution. If you've tried this already and it still doesn't work, or if you have some *other* issue, please press '9' now... (Been there, done that - we had a major mail hub outage a while ago, and tried to get the word out by sending everybody a voice mail message, which our phone system vendor *said* should work. We resisted the temptation to send everybody e-mail saying the voice mail system was down... ;) pgp01bffJAmeS.pgp Description: PGP signature
Re: panix.com hijacked (VeriSign refuses to help)
Alexis Rosen tried to send this to NANOG earlier this evening but it looks like it never made it. Apologies if it's a duplicate; we're both reduced to reading the list via the web interface since the legitimate addresses for panix.com have now timed out of most folks' nameservers and been replaced with the hijacker's records. Note that we contacted VeriSign both directly and through intermediaries well known to their ops staff, in both cases explaining that we suspect a security compromise (technical or human) of the registration systems either at MelbourneIT or at VeriSign itself (we have reasons to suspect this that I won't go into here right now). We noted that after calling every publically available number for MelbourneIT and leaving polite messages, the only response we received was a rather rude brush-off from MelbourneIT's corporate counsel, who was evidently directed to call us by their CEO. We are also told that law enforcement separately contacted VeriSign on our behalf, to no avail. Below please find VeriSign's response to our plea for help. We're rather at a loss as to what to do now; MelbourneIT clearly are beyond reach, VeriSign won't help, and Dotster just claim they still own the domain and that as far as they can tell nothing's wrong. Panix may not survive this if the formal complaint and appeal procedure are the only way forward. Date: Sun, 16 Jan 2005 00:21:33 -0500 To: [EMAIL PROTECTED], NOC Supervisor [EMAIL PROTECTED] Subject: Re: FW: [EMAIL PROTECTED]: Brief summary of panix.com hijacking incident] (KMM2294267V49480L0KM) From: VeriSign Customer Service [EMAIL PROTECTED] X-Mailer: KANA Response 7.0.1.127 Dear Alexis, Thank you for contacting VeriSign Customer Service. Unfortunately there is little that VeriSign, Inc. can do to rectify this situation. If necessary, Dotster (or Melbourne) is more than welcome to contact us to obtain the specific details as to when the notices were sent and other historical information about the transfer itself. Dotster can file a Request for Enforcement if Melbourne IT contends that the request was legitimate and we will review the dispute and respond accordingly. Dotster can also contact Melbourne directly and if they come to an agreement that the transfer was fraudulent they can file a Request for Reinstatement and the domain would be reinstated to its original Registrar. Dotster could submit a normal transfer request to Melbourne IT for the domain name and hope that Melbourne IT agrees to transfer the name back to them outside of a dispute having been filed. In order to expedite processing the transfer or submitting a Request for Reinstatement however Dotster will need to contact Melbourne IT directly. If Dotster is unable to get in touch with anyone at Melbourne IT we can assist them directly if necessary. Best Regards, Melissa Blythe Customer Service VeriSign, Inc. www.verisign.com [EMAIL PROTECTED]
Re: panix.com hijacked
On Sun, 16 Jan 2005 [EMAIL PROTECTED] wrote: On Sun, 16 Jan 2005 01:32:46 EST, Henry Yen said: from panix shell hosts motd: . panix.net usable as panix.com (marcotte) Sat Jan 15 10:44:57 2005 So let's see.. the users will see this when they log into shell.panix.net (since shell.panix.com is borked).. Somehow, that doesn't seem to help much.. and the hijackers could be, potentially, running a box pretending to be shell.panix.com, gathering userids and passwds :(
Re: panix.com hijacked
Apologies for what may be another duplicate message, probably with broken threading. This is Alexis Rosen's original posting to this thread; we think the mail chaos caused by the hijacking of panix.com kept it from ever reaching the list (but, flying mostly-blind, we aren't sure). On Sat, Jan 15, 2005 at 10:27:31PM -0500, Steven M. Bellovin said: panix.com has apparently been hijacked. It's now associated with a different registrar -- melbourneit instead of dotster -- and a different owner. Can anyone suggest appropriate people to contact to try to get this straightened out? Hi, all. I hate to pop my head up after years of lurking, only when things are going bad, but probably better that than remaining silent. First of all, I'm going to be bounced from this list once its cache of my DNS times out, which will probably be in about 2-3 hours, so if you have anything to say that you'd like me to see, please copy me. We're temporarily accepting mail at panix.net in addition to panix.com, so use alexis (at) panix.net. A few points to respond to: First, Eric, thanks for contacting Bruce and Eric on my behalf. While nothing has happened so far, I hope that it will soon, and in any case I appreciate your efforts to help a total stranger. Someone asked if we had registrar-lock set. It's not clear to me what happened. Our understanding is that we had locks on all of our domains. However, when we looked, locks were off on panix.net and panix.org, which we own but don't normally use. It's not clear how that happened; dotster has yet to contact us with any information about, well, anything at all. They did answer a call this morning; they're apprently in the middle of an ice storm. All I was able to larn from them is that according to the person I talked to, they had no records of any transfer requests on our domain from today back through last October. Someone suggested invoking a dispute procedure. We'll do that, as soon as we can get someone to actually accept the dispute, but if it goes through that process to completion, many people will suffer, and Panix itself will be tremendously damaged. How long do you think even our customers will stay loyal? (Forever, for many of them, but that doesn't mean the won't be forced to start using a different service.) While it's true that MelbourneIT won't do anything before (their) Monday morning, I don't want to paint them as bad guys in this drama. I don't know how they're organized and I don't know how difficult it is for them logistically. Of course I want them to move faster. Much faster. But I'll take what I can get. And speaking of MIT, I don't intend to send them nastygrams - nor NSI either. Neither of them owes me anything (at least directly) and being heavyhanded would not be a good way to get what I want (restoral of the panix.com domain to dotster) even if I thought they deserved it. I expect that there will be criminal prosecutions arising out of this, but the time for that sort of thing is later, when things are back to normal, and we've fixed any systemic vulnerabilities that can be fixed before they're used to wreak mass havoc. And it's anyone's guess who the target of those prosecutions will be, but I doubt MIT or NSI will be among them. Lastly, someone expressed surprise that I'd call MIT's lawyer directly. I didn't. I spent *hours* trying to find working contact info for MIT and Dotster. I didn't find useful 24-hour NOC-type info anywhere. (Someone obviously has this info; I expect it's restricted to a list of registrars.) I reached Dotster's customer support when they opened for business Saturday morning; the guy was polite, and did what he could, but I saw no evidence whatsoever of the promised attempt to assist me after he got off the phone. MIT apparently has no weekend support at all; I finally located their CEO's cellphone in an investor-relations web page. I caled him, and he had his lawyer call me back. That was his choice. FWIW, she's not just a lawyer; she's apparently the person who has to make decisions about reverting control of the domain. So she at least needs to be aware of our position. My impression is that she didn't fully grasp the gravity of the situation, and so treated us like she'd treat any other annoying customer who managed to track her down on her day off. This is somewhat understandable (though infuriating) which is why I'd hoped to talk to someone on their tech side first. No luck there, but if any of this reaches them, maybe that will start things going. Thanks again to everyone who has tried to help us today. /a
Re: panix.com hijacked (VeriSign refuses to help)
On Sun, Jan 16, 2005 at 02:22:59AM -0500, Paul G wrote: - Original Message - From: Thor Lancelot Simon [EMAIL PROTECTED] To: nanog@merit.edu Sent: Sunday, January 16, 2005 2:04 AM Subject: Re: panix.com hijacked (VeriSign refuses to help) Alexis Rosen tried to send this to NANOG earlier this evening but it looks like it never made it. Apologies if it's a duplicate; we're --- snip --- how about trying to get in touch with the folks hosting the dns (on the off chance that they are honest and willing to help) and asking them to put up the correct panix.com zone? The purported current admin contact appears to be a couple in Las Vegas who are probably the victims of a joe job. A little searching will reveal that people by that name really *do* live at the address given, and that one of the phone numbers given is a slightly obfuscated form of a Las Vegas number that either now or in the recent past belonged to one of them. Suffice to say it doesn't seem to be possible to get them to change the DNS. Chasing down the records for the tech contact, and the allocated party for the IP addresses now returned for various panix.com hosts (e.g. 142.46.200.72 for panix.com itself), and doing a little gumshoe work, seems to show that they're all in some way associated with a UK holding company that, when contacted by phone, claims no knowledge of today's mishap involving Panix.com. It's possible that this set of entities was chosen specifically *because* its convoluted ownership structure would make getting it to let go of a domain it may or may not know it now is the tech contact for as difficult as possible. Beyond the above, it's basically a matter for law enforcement. Who is really behind the malfeasance here is not clear, but what is clear enough to me at this point is that there is, in fact, some deliberate wrongdoing going on. Whether the point is just to harm Panix or to actually somehow profit by it I don't know, but I do note that an earlier message in this thread pointed out a very similar earlier incident involving MelbourneIT as the registrar, the same bogus new domain contacts, and another hapless U.S. corporate victim. I don't know if these are merely isolated attempts at harassment and mischief or the precursors to a more widespread attack. What I do know is that I'm very concerned, Panix is quite literally fighting for its life, everyone we've shown details of the problem to is concerned -- including CERT, AUSCERT, and knowledgeable law enforcement personnel -- with the notable exception of MelbourneIT, whose sole corporate response has been one of decided unconcern, and VeriSign, who seem entirely determined to pass the buck instead of investigating, fixing, or helping. And so it goes. Thor
Re: panix.com hijacked (VeriSign refuses to help)
- Original Message - From: Thor Lancelot Simon [EMAIL PROTECTED] To: Paul G [EMAIL PROTECTED] Cc: nanog@merit.edu Sent: Sunday, January 16, 2005 2:40 AM Subject: Re: panix.com hijacked (VeriSign refuses to help) --- snip --- I don't know if these are merely isolated attempts at harassment and mischief or the precursors to a more widespread attack. What I do know is that I'm very concerned, Panix is quite literally fighting for its life, everyone we've shown details of the problem to is concerned -- including CERT, AUSCERT, and knowledgeable law enforcement personnel -- with the notable exception of MelbourneIT, whose sole corporate response has been one of decided unconcern, and VeriSign, who seem entirely determined to pass the buck instead of investigating, fixing, or helping. And so it goes. i know people from verisign (used to?) read nanog-l. perhaps some sort of a deus ex machina intervention may be forthcoming? one can hope. -p --- paul galynin
