On Sun, Jan 16, 2005 at 02:22:59AM -0500, Paul G wrote:
----- Original Message ----- From: "Thor Lancelot Simon" <tls@NetBSD.org> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 2:04 AM Subject: Re: panix.com hijacked (VeriSign refuses to help)
Alexis Rosen tried to send this to NANOG earlier this evening but it looks like it never made it. Apologies if it's a duplicate; we're
--- snip ---
how about trying to get in touch with the folks hosting the dns (on the off chance that they are honest and willing to help) and asking them to put up the correct panix.com zone?
The purported current admin contact appears to be a couple in Las Vegas who are probably the victims of a joe job. A little searching will reveal that people by that name really *do* live at the address given, and that one of the phone numbers given is a slightly obfuscated form of a Las Vegas number that either now or in the recent past belonged to one of them. Suffice to say it doesn't seem to be possible to get them to change the DNS. Chasing down the records for the tech contact, and the allocated party for the IP addresses now returned for various panix.com hosts (e.g. 142.46.200.72 for panix.com itself), and doing a little gumshoe work, seems to show that they're all in some way associated with a UK holding company that, when contacted by phone, claims no knowledge of today's mishap involving Panix.com. It's possible that this set of entities was chosen specifically *because* its convoluted ownership structure would make getting it to let go of a domain it may or may not know it now is the tech contact for as difficult as possible. Beyond the above, it's basically a matter for law enforcement. Who is really behind the malfeasance here is not clear, but what is clear enough to me at this point is that there is, in fact, some deliberate wrongdoing going on. Whether the point is just to harm Panix or to actually somehow profit by it I don't know, but I do note that an earlier message in this thread pointed out a very similar earlier incident involving MelbourneIT as the registrar, the same bogus new domain contacts, and another hapless U.S. corporate victim. I don't know if these are merely isolated attempts at harassment and mischief or the precursors to a more widespread attack. What I do know is that I'm very concerned, Panix is quite literally fighting for its life, everyone we've shown details of the problem to is concerned -- including CERT, AUSCERT, and knowledgeable law enforcement personnel -- with the notable exception of MelbourneIT, whose sole corporate response has been one of decided unconcern, and VeriSign, who seem entirely determined to pass the buck instead of investigating, fixing, or helping. And so it goes. Thor