Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Perl

Perl.com Domain Stolen, Now Using IP Address of Past Malware Campaigns (bleepingcomputer.com) 93

"The domain name perl.com was stolen and now points to an IP address associated with malware campaigns," reports Bleeping Computer: Perl.com is a site owned by Tom Christiansen and has been used since 1997 to post news and articles about the Perl programming language. On January 27th, Perl programming author and Perl.com editor brian d foy tweeted that the perl.com domain was suddenly registered under another person. Intellectual property lawyer John Berryhill later replied to the tweet that the domain was stolen in September 2020 while at Network Solutions, transferred to a registrar in China on Christmas Day, and finally moved to the Key-Systems registrar on January 27th, 2020.

It wasn't until the last transfer that the IP addresses assigned to the domain were changed from 151.101.2.132 to the Google Cloud IP address 35.186.238[.]101...

On the 28th, d foy tweeted that they have set up perl.com temporarily at http://perldotcom.perl.org for users who wish to access the site until the domain is recovered...

d foy has told BleepingComputer that it is not believed that the domain owner's account was hacked and that they are currently working with Network solutions and Key-Systems to resolve the issue. "I do know from direct communication with the Network Solutions and Key Systems that they are working on this and that the perl.com domain is locked. Tom Christiansen, the rightful owner, is going through the recovery process with those registrars."

"Both registrars, along with a few others, reached out to me personally to offer help and guidance. We are confident that we will be able to recover the domain, but I do not have a timetable for that," d foy told BleepingComputer.

The IP address that perl.com is now hosted has a long history of being used in older malware campaigns and more recent ones.

"Anyone using a perl.com host for their CPAN mirror should use www.cpan.org instead," advises an announcement page today at Perl.org, which d foy tweeted "is now going to be the source for the latest http://Perl.com info."

On Thursday d foy tweeted that "There's no news on the recovery progress. Everyone who needs to be talking is talking to each other and it's just a process now."
This discussion has been archived. No new comments can be posted.

Perl.com Domain Stolen, Now Using IP Address of Past Malware Campaigns

Comments Filter:
  • Rightful owner? (Score:3, Interesting)

    by saloomy ( 2817221 ) on Sunday January 31, 2021 @03:43AM (#61011516)
    Did Network Solutions incorrectly permit the transfer out? Pretty big error on their part, considering they transfer thousands of domains every day. Are they sure their bills were paid and their auto-renewals were turned on?
    • Re:Rightful owner? (Score:5, Interesting)

      by 93 Escort Wagon ( 326346 ) on Sunday January 31, 2021 @03:46AM (#61011524)

      I'm betting this boils down to another social engineering attack - someone at Network Solutions fell for a sob story.

      If that's the case, I hope that person gets additional training rather than getting fired.

      • Re:Rightful owner? (Score:5, Insightful)

        by Mr. Barky ( 152560 ) on Sunday January 31, 2021 @11:32AM (#61012320)

        If that's the case, I hope that person gets additional training rather than getting fired.

        “Recently, I was asked if I was going to fire an employee who made a mistake that cost the company $600,000. “No”, I replied. “I just spent $600,000 training him – why would I want somebody to hire his experience?” -- Thomas John Watson Sr., IBM

        He already got his training :)

        • Simple answer: fire the trainers.

          I've made mistakes that disabled production systems. They were usually, though not always, mistakes that I'd tried to put in protections for, ranging from syntax checkers for configuration management tools to designing systems with smaller, modular components that could failover more gracefully. My current favorite vulnerability is high-cost, extremely sophisticated high-availability structures that, burdened with multiple other layers of failover, _themselves_ disable criti

        • If he learned. We have a guy who has screwed up causing all-hands-on-deck customer emergencies, yet he doesn't seem to learn and doesn't apologize or seem remorseful. Probably a third of our technical debt is just from him. And he's still around...

          • One infers that the multiple miscreant knows - in a very literal sense - where the bodies are buried.

            And I don't mean practical human taphonomy studies [wikipedia.org].

            Has anyone compared the blood groups of the CEO and the largest share-holders oldest child?

            • I have seen a trend with companies that had been start-ups relatively recently. That is, friends hire friends, regardless of competence. And employees who were around in the early days get extreme lenience in what they do or don't do.

    • Re:Rightful owner? (Score:4, Informative)

      by gmack ( 197796 ) <gmackNO@SPAMinnerfire.net> on Sunday January 31, 2021 @06:11AM (#61011738) Homepage Journal

      You make it sound like Network Solutions has never made that sort of mistake before. NetSol is one of the least secure registrars and has a history of transferring domains over the phone or with a fax. The most famous case was of course sex.com where they argued that they had no responsibility to even try to fix the problem. [circleid.com] There are still scattered reports of domains being stolen from them.

      • The risk is compounded with poor quality SSL registrars, who will sign .com SSL signatures with little to no verification and help ensure that faked domains are permitted by most web browsers.

    • Re:Rightful owner? (Score:4, Interesting)

      by hcs_$reboot ( 1536101 ) on Sunday January 31, 2021 @08:47AM (#61011994)
      If you look at the whois

      Updated Date: 2021-01-27T12:43:15Z
      Creation Date: 1994-08-16T04:00:00Z
      Registry Expiry Date: 2031-01-26T15:26:42Z

      usually domains rental is for N years, so it seems here that perl.com was not renewed before 16 Aug 2020 (or even before). In that case the registrar usually releases the domain. (btw, the new expiration date in 2031, good luck to get it back)
      • Re:Rightful owner? (Score:5, Informative)

        by TheNameOfNick ( 7286618 ) on Sunday January 31, 2021 @11:29AM (#61012304)

        That's not how that works. You can renew a domain at any time, adding years to its expiration date. If you pay a new registrar for a year, and the registrar pays the registry for a year, that year is added onto the domain lifetime (up to a maximum of 10 years). Archived whois records from 2018 show that back then the domain was set to expire in 2028. The shenanigans started in 2020. It is highly implausible that the domain was lost due to expiration.

        • You can renew a domain at any time, adding years to its expiration date

          Of course. This is exactly what I'm saying. Any year purchased is added to the current life of the domain, i.e. no fraction of a year is added. Since the domain was created on Aug 16, its current expiration date should show 20xx-08-16 if there was no interruption. It does not. Thus it's likely that the domain expired, and was re-rented a few months later. 2028: there are several possible reasons behind 2028 vs 2031, none of them invalidate the expiration theory...

          • No, there is a maximum of 10 years. At the time the domain was taken over, it already had a remaining lifetime of close to 10 years. The renewed lifetime (9 years and a few months plus another year) after the fraudulent transfer was capped to 10 years from the date of renewal. This domain did not expire.

            • I didn't get the sequence of events quite right there, but the conclusion remains. This domain did not expire. When the domain was hijacked to the Chinese registrar, its lifetime was extended until 2030-08-15. Only with the second move to the next registrar (on 2020-01-27) and the implied one year extension was the renewal truncated to 2031-01-26.

            • You could be right actually. ( https://twitter.com/briandfoy_... [twitter.com] ).
              NetSol ... why people keep using that registrar / mail / web host is a mystery ...
  • You should too. You can easily add domains like this to the blocked list and then forget about ever accidentally ending up there.
  • The domain will be restored on Christmas, right after perl6 is released.
  • > the IP addresses assigned to the domain were changed... to the Google Cloud IP address ...The IP address ... has a long history of being used in older malware campaigns and more recent ones.

    You'd think Google would have the technology to search for who's been paying them to use that address.
  • by thesjaakspoiler ( 4782965 ) on Sunday January 31, 2021 @08:26AM (#61011966)
  • This is why I don't like languages that dynamically update from places out on the web. I want each update of libraries to be intentional. And I'm looking at things like Rust and go when I say that. (Yes, they've got ways around the auto-update. So does Perl. And I didn't mention Javascript, because it's got worse problems.)

  • Registering a public key and having to sign all your registration requests with that seemed like a much more secure way than what is done now. Not only that but it seemed easier to me. I miss it.
  • by Anonymous Coward on Sunday January 31, 2021 @02:45PM (#61012776)
    There is more than one way to do it...

If all else fails, lower your standards.

Working...