Panix.com DNS Hijacked - Users, company, await resolution

**Vin DSL** · 01-17-2005, 01:52 AM

Interesting story of the day...

First seen on NANOG (North Atlantic Network Operators Group), the oldest IP service provider in NYC has just had its domain hijacked.

panix.com has apparently been hijacked. It's now associated with a
different registrar -- melbourneit instead of dotster -- and a
different owner. Can anyone suggest appropriate people to contact to
try to get this straightened out?

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Apologies for what may be another duplicate message, probably with broken
threading. This is Alexis Rosen's original posting to this thread; we
think the mail chaos caused by the hijacking of panix.com kept it from
ever reaching the list (but, flying mostly-blind, we aren't sure).

On Sat, Jan 15, 2005 at 10:27:31PM -0500, Steven M. Bellovin said:
panix.com has apparently been hijacked. It's now associated with a
different registrar -- melbourneit instead of dotster -- and a
different owner. Can anyone suggest appropriate people to contact to
try to get this straightened out?

Hi, all.

I hate to pop my head up after years of lurking, only when things are
going bad, but probably better that than remaining silent.

First of all, I'm going to be bounced from this list once its cache of
my DNS times out, which will probably be in about 2-3 hours, so if you have
anything to say that you'd like me to see, please copy me. We're temporarily
accepting mail at panix.net in addition to panix.com, so use alexis (at)
panix.net.

A few points to respond to:
First, Eric, thanks for contacting Bruce and Eric on my behalf. While
nothing has happened so far, I hope that it will soon, and in any case
I appreciate your efforts to help a total stranger.

Someone asked if we had registrar-lock set. It's not clear to me what
happened. Our understanding is that we had locks on all of our domains.
However, when we looked, locks were off on panix.net and panix.org, which
we own but don't normally use. It's not clear how that happened; dotster
has yet to contact us with any information about, well, anything at all.
They did answer a call this morning; they're apprently in the middle of
an ice storm. All I was able to larn from them is that according to the
person I talked to, they had no records of any transfer requests on our
domain from today back through last October.

Someone suggested invoking a dispute procedure. We'll do that, as soon as
we can get someone to actually accept the dispute, but if it goes through
that process to completion, many people will suffer, and Panix itself will
be tremendously damaged. How long do you think even our customers will
stay loyal? (Forever, for many of them, but that doesn't mean the won't be
forced to start using a different service.)

While it's true that MelbourneIT won't do anything before (their) Monday
morning, I don't want to paint them as bad guys in this drama. I don't
know how they're organized and I don't know how difficult it is for them
logistically. Of course I want them to move faster. Much faster. But I'll
take what I can get.

And speaking of MIT, I don't intend to send them "nastygrams" - nor NSI
either. Neither of them owes me anything (at least directly) and being
heavyhanded would not be a good way to get what I want (restoral of the
panix.com domain to dotster) even if I thought they deserved it. I expect
that there will be criminal prosecutions arising out of this, but the time
for that sort of thing is later, when things are back to normal, and we've
fixed any systemic vulnerabilities that can be fixed before they're used
to wreak mass havoc. And it's anyone's guess who the target of those
prosecutions will be, but I doubt MIT or NSI will be among them.

Lastly, someone expressed surprise that I'd call MIT's lawyer directly.
I didn't. I spent *hours* trying to find working contact info for MIT and
Dotster. I didn't find useful 24-hour NOC-type info anywhere. (Someone
obviously has this info; I expect it's restricted to a list of registrars.)
I reached Dotster's customer support when they opened for business Saturday
morning; the guy was polite, and did what he could, but I saw no evidence
whatsoever of the promised attempt to assist me after he got off the phone.
MIT apparently has no weekend support at all; I finally located their CEO's
cellphone in an investor-relations web page. I caled him, and he had his
lawyer call me back. That was his choice. FWIW, she's not "just" a lawyer;
she's apparently the person who has to make decisions about reverting
control of the domain. So she at least needs to be aware of our position.
My impression is that she didn't fully grasp the gravity of the situation,
and so treated us like she'd treat any other annoying customer who managed
to track her down on her day off. This is somewhat understandable (though
infuriating) which is why I'd hoped to talk to someone on their tech side
first. No luck there, but if any of this reaches them, maybe that will
start things going.

Thanks again to everyone who has tried to help us today.

/a

SOURCE: http://www.merit.edu/mail.archives/nanog/msg04242.html