New York's Oldest ISP Gets Domain-Jacked

Howard Roark writes "Panix, the oldest commercial Internet provider in New York, had its domain name 'panix.com' hijacked by persons unknown. The main effect on users is that mail sent to panix's customers is being routed to a bogus mail server run by the hijackers."

Panix

[UnCivil+Liberty]

One domain hijacked and another soon to be slashdotted, sucks to be them.

Just in case:
"Status as of Sat Jan 15 22:04:33 EST 2005

Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.

For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site."

Their catch phrase "Your $HOME away from home" is quite cute.

Total Hypocrisy, Michael

[Jewcatur]

Wow, total irony here

Do you realize how hypocritical that Michael is posting this story when Michael himself hijacked censorware.org from the people it belonged to? I reproduce the story here (you can read the original here:

h2>Michael Sims, Domain Hijacking and Moral Equivalency by Jonathan Wallace jw@bway.net

How would you feel if your webmaster maliciously took your web-site offline, then, when you demanded its return, put up a site attacking your company at your old URL? It happened to a group I was involved in, the Censorware Project, currently at http://www.censorware.net. The purpose of this essay is to put the behavior on record, and to give you some impressions and inferences about it.

The Censorware Project was originally an informal collective of six people who collaborated online to fight censorware: Seth Finkelstein, Bennett Haselton, Jamie McCarthy, Mike Sims, Jim Tyre and myself. Several of us had never met or even spoken on the phone, yet for some time -- around two years as I recall -- we had a remarkably easy collaboration. There was no funding, no hierarchy, no titles, not even project managers. Someone would suggest a project and take the responsibility for a part of it, others would sign up for other elements, and proceeding this way we got a remarkable amount of work done, including reports on X-Stop, Cyberpatrol, Bess and other censorware products.

Even though two of us were attorneys -- Jim and myself -- we never incorporated the group or wrote a charter or any contracts among ourselves. Mike Sims was obliging enough to register the domain, just as other members paid for press releases and the other incidental expenses which came along. Mike also served as webmaster of the censorware.org site and did substantial work for the group, including writing contributions to several of the reports and lead authorship of at least one. Seth was the source of our decrypted censorware blacklists and managed many technical tasks, but later felt he had to leave the group because of the increasing prospects of a lawsuit, particularly under the Digital Millennium Copyright Act (DMCA). After Seth left the group, the remaining five continued.

Robert Frost said that "nothing gold can stay," and the Censorware Project was no exception. Over the summer of 2000, Mike Sims' reaction to a perceived slight from Jim Tyre was to take the site down for a week. He sent us mail at the time saying something like "The Censorware Project is now closed." I replied to him that, given that the group was a collective and we all had an interest in its work product, the domain, and the goodwill it had achieved, the decision was not his to make. Sims did not reply.

After Seth created a partial, text, mirror, Mike put the site back up a week later without explaining, let alone apologizing for, his actions. Given his continuing failure to answer any email from me (and I think from others) and the overall signs that Sims thought the group was exclusively his, I wrote him several emails requesting that he turn the domain over to Jamie or Bennett, as I felt we could no longer trust him to administer it. We also found out during that time that important email from people trying to contact us, including members of the press, was not being answered by Sims, nor being forwarded to other members.

I ultimately became exasperated that my name was listed as a principal on what had now become a "rogue" site I had no control over. Over about

This happens quite a bit...

[eviljim]

It's not surprising this has happened. Many, many companies do not take administrating their domain seriously, and several registrars -- Network Solutions especially -- make it very easy to steal domains.

I know this from experience -- many years back one morning I woke up and Excite.com, Angelfire.com, and a few other domains were mysterically owned by me. The only thing the hijacker needed to do (it wasn't me, by the way) was send in a single email. Old Story at Wired.

Rogue registrars?

[tjls]

I tried to post about this about 10 hours ago, but no luck. Sigh.

What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever (this violates all the relevant RFCs for the Shared Registration System and the current ICANN policy *and* seems to indicate a severe bug or security problem somewhere in the registration system).

What's particularly scary is that melbourneIT.com isn't open on the weekends, period (though oddly enough they transferred the domain first thing on Saturday, hmmmm) and won't do anything to help. There are lots of ugly details in the NANOG mailing-list archive, particularly in this message from Perry Metzger, this message from Richard Cox, and this message from me, which includes a slimy note from some customer-service flack at Verisign.

This has clearly happened to others in the past, and highlights a serious flaw in the current registry-registrar system. We are not 100% sure how the domain was transferred between registrars with no notice to anyone (though I have some hunches I won't go into here right now) but consider this: a rogue or penetrated registrar can effectively put you out of business for the duration of the ICANN complaint and appeals process, with no notice, and there may be nothing you or anyone else can do about it short of extremely expensive legal action, even if you get law enforcement involved. Yuck.

Re:Rogue registrars?

I've worked for Melbourne IT, and can add a little here. I've got a little bit of info on the situation.

It's currently about 9pm on Sunday night in Melbourne. People have been alerted. Things _are_ moving. People are most certainly aware of the situation and are working to get to the bottom of it.

The tech contact address (admin@powerhost.co.uk) is that of one of Melb IT's UK resellers, Fibranet. Its presence would indicate the transfer was initiated under that reseller's account and their access to Melb IT's systems. Possibly (I'm speculating) someone may also have got access to the reseller's account other than the reseller.

It wouldn't surprise me if whoever did this intentionally did this near midnight Saturday, Melbourne time, near the start of Melb IT's longest point of having the office closed (midday Saturday to 8am Monday, Melbourne time). During the week there are staff on 24 hours.

I don't speak for Melb IT here, but I really think they're copping a lot of shit for something that's not their fault. I'm not claiming they're perfect, but hell - this was done when nobody was in the damned office. They're not _evil_ there (or perfect - just human) and would never initiate anything that'd bring down this much bad press.

Someone's playing games and using Melb IT as a tool. It'll all get untangled before long and we'll find out who's really to blame for this.

How This Can Happen

[ErichTheWebGuy]

See this story on Netcraft, which details the recent policy change by ICANN.

In short, if someone initiates a transfer request, you then have 5 calendar days to respond, or else the transfer happens unopposed. You can prevent this by activating the REGISTRAR-LOCK feature on your domain name. The procedure varies by registrar, but it's usually called "domain lock" or something similar. All registrars have to at least give you the option of requesting this feature.

Some registrars (godaddy, I know for sure does) activate this lock by default, Some require you to activate it explicitly. Check with the support dept. at your registrar for further details.

Re:More details, please...

[Gendalia]

Panix's registrar has no record of the transfer request. Dotster's whois shows that the domain needs to be renewed by April.
Registrant:
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US

Registrar: DOTSTER
Domain Name: PANIX.COM
Created on: 22-APR-91
Expires on: 23-APR-05
Last Updated on: 15-JAN-05

Administrative, Technical Contact:
Hostmaster, Panix hostmaster@panix.com
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US
212-741-4400
212-741-5311

Domain servers in listed order:
NS1.ACCESS.NET
NS2.ACCESS.NET

End of Whois Information

Re:Deal with the Devil

[tjls]

Nice try, troll.

To answer your "questions", no and no.

Panix has been deeply involved in efforts to promote and protect Internet security since, I'd wager, long before you even had access to the Internet at all. I should know -- within two months of my first coming to work at Panix in 1993 the majority of my work was shifted from normal system administration to security.

The very first NY Times article (possibly the first national newspaper article at all) on the subject of Internet security featured Panix' heroic efforts to publicize and mitigate a series of network sniffer attacks that had been previously kept under wraps, and compromised the security of thousands of Internet users (at a time when the total population of the Internet was only a few tens or perhaps hundreds of thousands). Panix played a key role in the emergence of full-disclosure security lists by refusing to sit still while vendors and CERT (don't get me wrong. CERT is good. They just weren't then) conspired to cover up known vulnerabilities for years at a time. And so forth.

To this day, security remains a major focus at Panix. It has to -- they're the oldest, most prominent, and one of the largest (if not the largest) shell ISPs still out there, and their users won't tolerate system outages caused by security failures, or security failures that compromise those users' own security. In general, if you find Unix timesharing systems the size of Panix, they're at universities; and look at those folks' security records. Panix, on the other hand, is worlds better.

To respond to your other happy fun mudslinging, Panix has not and does not tolerate "online crimes" by its users, whether your invented "user" Kevin Mitnick or anyone else. Never did, doesn't now; security is important to Panix; it is essential to their business; and so is the health of the Internet itself.

Depending how you count, Panix is the second or third oldest consumer ISP in the world. Panix has been around long enough to remember the times when if they had a security incident, a significant fraction of the Internet shuddered (e.g. when we were offline for two days for security reasons in 1994, traffic on Usenet as a whole fell considerably). It would be hard to find any business on the Internet more fundamentally concerned that its own security problems not impact others than Panix has been, and is.

Which, of course, is quite a different attitude than that exemplified by some other businesses mentioned in this thread.

This just in!!!

(Posted by Ed Ravin [staff]) Sun, Jan 16 2005 -- 5:41 PM
----------------
Recovery is underway from the panix.com domain hijack.

The root name servers now have the correct information, as does the WHOIS registry. Portions of the Internet will still not be able to see panix.com until their name servers expire the false data. More info soon.

-- Ed