Let’s call it what it is. It’s not a domain taken over by squatters. The domain was stolen.
I’ve seen other domains get stolen recently, it seems to be about the same time.
Patterns dot com
Piracy dot com
Perl dot com
All stolen at around the same time.
With patterns, the thief hacked the network solutions account, put the domain under privacy, transferred it to a Chinese registrar, and then put the old whois data back. They then tried to sell it on sedo and afternic for 10 percent of what it’s worth.
I have been able to get sedo and afternic to remove the listings. But patterns has not been returned to its owner after about two months. Still working with the owner and registrars on that.
My advice is to lock down your domains, register them for at least 5 years, and if there are changes deal with them quickly. Once a domain is transferred it’s much harder to get back. It can be done, but it’s a lot of work to unravel it all.
Correct. Use a registrar with 2FA using authenticator or hardware key. No SMS 2FA. Rolling 5 year renewals will work for not letting the domain expire, but not for this scenario.
Yes. At the time, and with the information available, it looked like an isolated incident. It now appears that this affects several, dozens maybe, or potentially many more domains after what appears to be a social engineering attack at a registrar. Check your domains!
Looking at whois history sites, it looks like the domain was owned by Tom Christiansen aka tchrist, which wrote Programming Perl, Learning Perl and the Perl Cookbook.
The record wasn't supposed to expire until 2029, so not sure how the squatters got this domain.
Thanks to everyone who has given advice and helped us develop a timeline of the incident. I'm not part of the network and asset management: I'm a mere editor of the website.
The current registrar has contacted me. They've locked the domain and we need to submit some paperwork. It shouldn't be that big of a deal even though it's annoying. All of this was handled quickly (12 hours) because of the attention to the internet in general.
That's great news, Brian. The key here is that it was handled quickly. The longer it goes on unnoticed, the more difficult it becomes to unravel, as a domain gets transferred from registrar to registrar and from owner to owner.
I can confirm that Neurologist dot com and Chip dot com were also stolen at the same time. There may be others.
checking whois for each of those domains, my first thought is I sure hope Key-Systems didn't get owned :|
EDIT: On a sidenote:If this[1] is true, looks like the attacker may have compromised another registrar that perl.com used (Network Solutions), moved domain to another registrar, than KS. Still a big concern though
Floodgap was part of this. I just talked to a very helpful person in NetSol's security department and she looked through the ticket. It was initiated by a web chat, and they produced official looking but completely fraudulent documents (photo ID, utility bill, business license, etc.) to prove identity, so this was socially engineered and apparently for multiple domains. They're supposed to contact me tomorrow for more on the post mortem.
If documentation is key, then perhaps have a service that will, take your documentation, hash it and then you can store the hash on your domain root (much like google analytics).
Then if you lose the domain, you have wayback machine style proof that the domain originally had these docs associated with it.
(I can see some downsides to this but what do people think?)
> We're still trying to unravel this and I can't get into details. However, it looks like there was an account hack. I don't know how long that would take to rewind. We're looking for people who have actual experience dealing with that situation so we can dispute the transfer. If you've actually gone through thatprocess, please get in touch.
> The perl.org and perl.com domains are unrelated and have different rightful registrants, so this doesn't affect perl.org.
I was wondering why none of the links were working. I was trying to read on the beginnings of Perl6 (now Raku) design (such as in https://www.perl.com/pub/2000/11/perl6rfc.html/) and also check some States of the Onion. At least everything is currently accessible either through the Wayback Machine or here: https://perldotcom.perl.org/
What is the full story behind this? How did it happen? Was it a domain hijack? Did someone forget to pay the bill? Do I need to worry about this for my domains?
From what I can see Perl the programming language has its home at perl.org, which is running fine. The .com does not show up prominently when googling for perl. Based on Google's cache it seems it was some kind of programming-related news page. Was it relevant/popular in the Perl community?
Historically, it was the Perl web site for a long time. It was registered by Tom Christiansen in 1994 and soon afterwards, he let O'Reilly run it - and they used it to post useful Perl news and articles for a long time.
But O'Reilly's interest in Perl waned and it sat, moribund, for several years (which probably explains its lack of Googlejuice).
A few years ago, the Perl community approached Tom and he let them take over running it. The team behind the PerlTricks web site ported over all the old articles and had been posting new ones. It had become a pretty useful resource again.
So, yes, it would be a shame to lose it. But from what brian has posted elsewhere on this thread, that seems unlikely to happen.
[+] [-] bhartzer|5 years ago|reply
I’ve seen other domains get stolen recently, it seems to be about the same time.
Patterns dot com Piracy dot com Perl dot com
All stolen at around the same time.
With patterns, the thief hacked the network solutions account, put the domain under privacy, transferred it to a Chinese registrar, and then put the old whois data back. They then tried to sell it on sedo and afternic for 10 percent of what it’s worth.
I have been able to get sedo and afternic to remove the listings. But patterns has not been returned to its owner after about two months. Still working with the owner and registrars on that.
My advice is to lock down your domains, register them for at least 5 years, and if there are changes deal with them quickly. Once a domain is transferred it’s much harder to get back. It can be done, but it’s a lot of work to unravel it all.
[+] [-] xsc|5 years ago|reply
[+] [-] leejo|5 years ago|reply
Yes. At the time, and with the information available, it looked like an isolated incident. It now appears that this affects several, dozens maybe, or potentially many more domains after what appears to be a social engineering attack at a registrar. Check your domains!
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] zz28|5 years ago|reply
[+] [-] canadianfella|5 years ago|reply
[deleted]
[+] [-] erikkri|5 years ago|reply
The record wasn't supposed to expire until 2029, so not sure how the squatters got this domain.
[+] [-] cpach|5 years ago|reply
[+] [-] xsc|5 years ago|reply
[+] [-] briandfoy|5 years ago|reply
The current registrar has contacted me. They've locked the domain and we need to submit some paperwork. It shouldn't be that big of a deal even though it's annoying. All of this was handled quickly (12 hours) because of the attention to the internet in general.
[+] [-] bhartzer|5 years ago|reply
I can confirm that Neurologist dot com and Chip dot com were also stolen at the same time. There may be others.
[+] [-] superasn|5 years ago|reply
> @xsc: Looks like this breach also affected http://piracy.com http://chip.com http://neurologist.com along with http://perl.com (https://www.afternic.com/listings/drawmaster)
[+] [-] EvangelicalPig|5 years ago|reply
EDIT: On a sidenote:If this[1] is true, looks like the attacker may have compromised another registrar that perl.com used (Network Solutions), moved domain to another registrar, than KS. Still a big concern though
[1] https://nitter.net/DInvesting/status/1354778895749419013
[+] [-] classichasclass|5 years ago|reply
[+] [-] eruci|5 years ago|reply
[+] [-] lifeisstillgood|5 years ago|reply
https://www.icann.org/news/blog/documentation-is-key-to-reco...
If documentation is key, then perhaps have a service that will, take your documentation, hash it and then you can store the hash on your domain root (much like google analytics). Then if you lose the domain, you have wayback machine style proof that the domain originally had these docs associated with it.
(I can see some downsides to this but what do people think?)
[+] [-] grumple|5 years ago|reply
1. https://www.reddit.com/r/perl/comments/l6d8ws/perlcom_unfrie...
[+] [-] asicsp|5 years ago|reply
[+] [-] mzs|5 years ago|reply
> The perl.org and perl.com domains are unrelated and have different rightful registrants, so this doesn't affect perl.org.
briandfoy 1 hour ago
https://www.reddit.com/r/perl/comments/l6d8ws/perlcom_unfrie...
[+] [-] andredz|5 years ago|reply
[+] [-] chriszhang|5 years ago|reply
[+] [-] hannob|5 years ago|reply
From what I can see Perl the programming language has its home at perl.org, which is running fine. The .com does not show up prominently when googling for perl. Based on Google's cache it seems it was some kind of programming-related news page. Was it relevant/popular in the Perl community?
[+] [-] davorg|5 years ago|reply
But O'Reilly's interest in Perl waned and it sat, moribund, for several years (which probably explains its lack of Googlejuice).
A few years ago, the Perl community approached Tom and he let them take over running it. The team behind the PerlTricks web site ported over all the old articles and had been posting new ones. It had become a pretty useful resource again.
So, yes, it would be a shame to lose it. But from what brian has posted elsewhere on this thread, that seems unlikely to happen.
[+] [-] beermonster|5 years ago|reply
[+] [-] st_goliath|5 years ago|reply
[1] https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Do...
[+] [-] PurpleFoxy|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] FerretFred|5 years ago|reply
[+] [-] namelosw|5 years ago|reply
[+] [-] ExcavateGrandMa|5 years ago|reply
[deleted]
[+] [-] meshugga|5 years ago|reply
[deleted]
[+] [-] cutler|5 years ago|reply
[+] [-] Tepix|5 years ago|reply