17 January 2005
If you're following the domain hijacking at Panix, you might be interested in today's MOTD, which reads as follows:
This is a (relatively) brief statement about the hijacking and return of the panix.com domain name. In the days and weeks to come, we'll have more to say, but at the moment, we need to continue to work on finding the perpetrators, or else catching up on missed sleep. (That's a lot of catching up!)
The domain was transferred by parties unknown. It took effect around 4-4:30 AM EST Friday night/Saturday morning. The incorrect data was replaced by correct data shortly after 6PM EST Sunday evening, by the new registrar. The domain will be transferred back to the old registrar soon, but this is no longer urgent.
Neither the hijacking or the return were under Panix's control. That is, they involved the manipulation of third parties (Dotster, MelbourneIT, and Verisign) that control the use of domain names on the Internet, and which neither Panix nor any other ISP controls.
The effect of the transfer was simple: the name "panix.com", and any name ending in ".panix.com", pointed to servers that did not belong to Panix. That meant that all services provided using the panix.com name failed, and mail to panix.com was accepted by the bogus servers, then bounced as undeliverable. Sometime on Saturday, however, the bogus mail servers became unavailable. So a lot of mail sent after that time will be (or has already been) delivered.
Customers with their own domain names were generally unaffected by this problem, with the notable exception of some web service customers. The problems they experienced were due to use "behind the scenes" of the panix.com name in the delivery of their service. This was fixed well before the domain was returned to us, as we changed our service to use "panix.net" instead.
The effects of the hijacking were not immediately apparent to everyone, because of the effect of "DNS caching". It takes up to 24 hours for DNS changes to become visible (depending on how recently, before the change, that name was used). So the failure wasn't noticed by some people for up to 24 hours after it started, and similarly, it will take until about 6:15PM EST on Monday for the fix to affect everyone.
This hijacking involved multiple felonies here and abroad. Many members of law enforcement agencies in the US and at least three other countries have already been involved. We hope to catch the perpetrators, just as we caught the last person to attack Panix (several years ago). For obvious reasons, we can't discuss the investigation.
Because of the scope of the problems caused by this hijacking, we may not be able to respond to each individual customer query (either by email or in the newsgroups) as well as we'd like to. We'll try to answer the questions as best we can, but we may resort to mailing back a "FAQ" (Frequently Asked Questions) sheet. I also recommend that Panix customers refer to the "panix.questions" newsgroup, which contains lots of questions and quite a few answers, though in a somewhat chaotic format.
Please be patient if we don't respond to your mail instantly. It's been an incredibly difficult weekend, and the next few days are going to be only marginally less so.
As always, I'd like to thank the many customers and friends who sent in expressions of loyalty and support (even financial support!).
This can't have been easy on anybody at Panix these past few days. It's good to see that some semblance of normalcy is being attained.
Why Panix, anyway? A support person at Panix, having read my previous article, detailing an earlier attack on them, noted:
I guess we're a favorite target because we have historical name recognition and a certain reputation for skill and know-how, so it's a bigger coup in the eyes of the fellow pond scum when one of them manages to make our lives difficult. Eh well.
If nothing else, this should demonstrate pretty clearly the kinship between computer vandals and terrorists: the mindset is almost identical.Posted at 9:51 AM to PEBKAC