hijacked (VeriSign refuses to help)

Thor Lancelot Simon tls at
Sun Jan 16 07:40:25 UTC 2005

On Sun, Jan 16, 2005 at 02:22:59AM -0500, Paul G wrote:
> ----- Original Message ----- 
> From: "Thor Lancelot Simon" <tls at>
> To: <nanog at>
> Sent: Sunday, January 16, 2005 2:04 AM
> Subject: Re: hijacked (VeriSign refuses to help)
> >
> > Alexis Rosen tried to send this to NANOG earlier this evening but it
> > looks like it never made it.  Apologies if it's a duplicate; we're
> --- snip ---
> how about trying to get in touch with the folks hosting the dns (on the off
> chance that they are honest and willing to help) and asking them to put up
> the correct zone?

The purported current admin contact appears to be a couple in Las Vegas
who are probably the victims of a joe job.  A little searching will
reveal that people by that name really *do* live at the address given,
and that one of the phone numbers given is a slightly obfuscated form
of a Las Vegas number that either now or in the recent past belonged to
one of them.

Suffice to say it doesn't seem to be possible to get them to change the

Chasing down the records for the tech contact, and the allocated party
for the IP addresses now returned for various hosts (e.g. for itself), and doing a little gumshoe work,
seems to show that they're all in some way associated with a UK holding
company that, when contacted by phone, claims no knowledge of today's
mishap involving  It's possible that this set of entities was
chosen specifically *because* its convoluted ownership structure would
make getting it to let go of a domain it may or may not know it now is
the tech contact for as difficult as possible.

Beyond the above, it's basically a matter for law enforcement.  Who is
really behind the malfeasance here is not clear, but what is clear
enough to me at this point is that there is, in fact, some deliberate
wrongdoing going on.  Whether the point is just to harm Panix or
to actually somehow profit by it I don't know, but I do note that
an earlier message in this thread pointed out a very similar earlier
incident involving MelbourneIT as the registrar, the same bogus new
domain contacts, and another hapless U.S. corporate victim.

I don't know if these are merely isolated attempts at harassment and
mischief or the precursors to a more widespread attack.  What I do know
is that I'm very concerned, Panix is quite literally fighting for its
life, everyone we've shown details of the problem to is concerned --
including CERT, AUSCERT, and knowledgeable law enforcement personnel --
with the notable exception of MelbourneIT, whose sole corporate response
has been one of decided unconcern, and VeriSign, who seem entirely
determined to pass the buck instead of investigating, fixing, or helping.

And so it goes.


More information about the NANOG mailing list