panix.com has apparently been hijacked. It's now associated with a
different registrar -- melbourneit instead of dotster -- and a
different owner. Can anyone suggest appropriate people to contact to
try to get this straightened out?
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Once upon a time, Steven M. Bellovin <smb@cs.columbia.edu> said:
panix.com has apparently been hijacked. It's now associated with a
different registrar -- melbourneit instead of dotster -- and a
different owner. Can anyone suggest appropriate people to contact to
try to get this straightened out?
Good luck dealing with melbourneit.com; that's the place where domains
go to die.
I originally replied offlist, but...
Under the new ICANN transfer policy, this will most likely be
reversed if its shown to be an improper transfer. You need to
bring Dotster into this and they need to invoke a transfer dispute
under the new policy.
MelbourneIT needs to demonstrate a proper FOA (Form of Authorization)
to have initiated the transfer and if its found to be invalid the
domain will be re-instated and Melbourne-IT fined.
-mark
calls have been initiated.
--bill
Mark Jeftovic <markjr@easydns.com> writes:
Once upon a time, Steven M. Bellovin <smb@cs.columbia.edu> said:
> panix.com has apparently been hijacked. It's now associated with a
> different registrar -- melbourneit instead of dotster -- and a
> different owner. Can anyone suggest appropriate people to contact to
> try to get this straightened out?Good luck dealing with melbourneit.com; that's the place where domains
go to die.I originally replied offlist, but...
Under the new ICANN transfer policy, this will most likely be
reversed if its shown to be an improper transfer. You need to
bring Dotster into this and they need to invoke a transfer dispute
under the new policy.
Dotster isn't in a position to do anything. They don't show the domain
as being transfered. Someone managed to hack the system. They're
pretty upset by the situation, too.
The membourneit.com folks conveniently refuse to do anything over the
weekend. The bad guys struck around midnight Saturday, Australian
time, so as to make the damage as bad as possible.
Panix is highly screwed by this -- their users are all off the air,
and they can't really wait for an appeals process to complete in order
to get everything back together again.
Perry
> Once upon a time, Steven M. Bellovin <smb@cs.columbia.edu> said:
> > panix.com has apparently been hijacked. It's now associated with a
> > different registrar -- melbourneit instead of dotster -- and a
> > different owner. Can anyone suggest appropriate people to contact to
> > try to get this straightened out?
>
> Good luck dealing with melbourneit.com; that's the place where domains
> go to die.I originally replied offlist, but...
Under the new ICANN transfer policy, this will most likely be
reversed if its shown to be an improper transfer. You need to
bring Dotster into this and they need to invoke a transfer dispute
under the new policy.
The problem is that during that time panix and its users have suffered
serious losses. They should never have allowed the transfer in the first
place without authorization, so new ICANN policy is a problem, not a
solution.
MelbourneIT needs to demonstrate a proper FOA (Form of Authorization)
to have initiated the transfer and if its found to be invalid the
domain will be re-instated and Melbourne-IT fined.
That means at least 24 hours for initial investigation and it likely will
not happen until Monday (bad guys do these sort of things on weekends
for a reason ...) and they probably will not act until Monday evening or
longer (and that is at the same time when Verisign now allows "rapid"
updates to zone file and could fix it very quickly). If I were Panix, I
would get lawyers to draft and fax a nastygram letter to MelburneIT and
somewhat similar letter to Verisign warning them of the liabilities
involved in being accomplices to such a such a fraudulent and illegal
actions and saying that every hour the situation is not fixed Panix
losses continue to increase and somebody would have to pay, etc...
But more important would be to actually call Verisign (their NOC) and
complain loud and clear - if I remember when something like this happened
about 2-3 years ago to another bix company they fixed it in < 12 hours.
We have had a comparable experience and now, on checking the DNS for
the hijacked panix domain, I see name-servers similar to those I noted
on that previous occasion. Known under various names that infer a UK
connection, (such as Fibranet Services Ltd/freeparking.co.uk) but in
fact seem to be Activebytes Software of 2530 Channin Drive Wilmington
Delaware, with servers routed via Koallo Inc in Canada!
So far as we were able to determine, there was no actual UK presence.
ns1.ukdnsservers.co.uk has address 142.46.200.67
ns2.ukdnsservers.co.uk has address 207.61.90.196
ns3.ukdnsservers.co.uk has address 142.46.200.68
ns4.ukdnsservers.co.uk has address 207.61.90.197
MelbourneIT appear to have a U.S. Office near San Francisco:
2200 Powell Street, Sixth Floor, Suite 690, Emeryville CA 94608
which would be slightly more accessible for service of writs, etc ...
from panix shell hosts motd:
. panix.net usable as panix.com (marcotte) Sat Jan 15 10:44:57 2005
.
. Until we resolve the issue of the domain "panix.com", we have set up
. the domain "panix.net" to include the same names and addresses as
. "panix.com".
.
. You may use this as a temporary solution for access to mail, webpages,
. etc. Wherever you would use "panix.com", you can replace it with
. "panix.net".
So let's see.. the users will see this when they log into shell.panix.net
(since shell.panix.com is borked).. Somehow, that doesn't seem to help much..
Not that there's any *better* solution, other than changing the top level of the
phone tree to say:
"Hi, we're out with baseball bats looking for the guys who broke panix.com.
In the meantime, you can use 'panix.net' as a temporary solution. If you've
tried this already and it still doesn't work, or if you have some *other* issue,
please press '9' now..."
(Been there, done that - we had a major mail hub outage a while ago, and tried
to get the word out by sending everybody a voice mail message, which our phone
system vendor *said* should work. We resisted the temptation to send everybody
e-mail saying the voice mail system was down... 
and the hijackers could be, potentially, running a box pretending to be
shell.panix.com, gathering userids and passwds 
Hi!
So let's see.. the users will see this when they log into shell.panix.net
(since shell.panix.com is borked).. Somehow, that doesn't seem to help much..
and the hijackers could be, potentially, running a box pretending to be
shell.panix.com, gathering userids and passwds
Or put up a pop server, thats more likely used by more of their customers anyway.
The other question was a nice one also, did they hve REGISTER-LOCK set for the domain?
Bye,
Raymond
(Been there, done that - we had a major mail hub outage a while ago,
and tried to get the word out by sending everybody a voice mail
message, which our phone system vendor *said* should work. We
resisted the temptation to send everybody e-mail saying the voice
mail system was down...
http://gallery.snark.net/etc/wtf2
I love it when I end up working somewhere that relies on Exchange (and
Exchange admins).
matt ghali
--matt@snark.net------------------------------------------<darwin><
The only thing necessary for the triumph
of evil is for good men to do nothing. - Edmund Burke