Web Site Hijacking... - DPChallenge Forums

11/02/2005 01:34:06 PM · #1

I am curious to learn more about what could have happened to a recently-registered domain name... just wondering if anyone else has had a similiar experience.

I have been the webmaster of www.amber-brkich.com for quite a while (she's a former Survivor contestant, and was also on The Amazing Race last season with her now-husband.

Now that she's married, Amber registered a new domain to reflect that the site will be more for her and her husband now... she registered www.robandambermariano.com a couple weeks ago.

She provided me with the log-in information for the site, and I set the name servers to point at our host so this domain would simply point to the existing site. And all of that went just fine.

Yesterday, I got an e-mail from Amber wondering why the site now points to some random crap, advertising hotels, cheap flights, etc.??? It's pointing to "qsrch.com," which I've never heard of.

The DNS servers have been changed to this qsrch.com place, and I can no longer log into the account! WTF???

I'm just wondering if anyone can explain how this hijacking could have occurred. I called GoDaddy yesterday, but there's a PIN number associated with the account which I don't have, so they couldn't be a whole lot of help...

ralph

Tamron SP AF 28-75mm f/2.8 XR Di for Canon

11/02/2005 01:39:45 PM · #2

my guess is that is a place holder till there is real pages in the account

look at dnsreport.com for better information ...

Message edited by author 2005-11-02 13:40:35.

Canon EOS-20D

11/02/2005 01:48:42 PM · #3

Very curious, indeed. The domain appears to be registered to Navigation Catalyst Systems, Inc according to the whois information. GoDaddy couldn't provide you with any information? Like a confirmation that Amber had actually registered it? Does she have the PIN?

I know there are other ways for this to happen but I would ask to see any information that she received and responded to regarding the registration of the domain. The owners of a few domains that I've registered on their behalf have received "renewal" letters that look awfully convincing but are actually designed to have them sign away their rights or sign themselves over to a different registrar. Maybe she received something and responded to it?

fotomann_forever

11/02/2005 01:54:11 PM · #4

Originally posted by mk:

Maybe she received something and responded to it?

That seems like the most likely scenario. While it's not impossible, it's hard to "steal" a domain without some sort of fraud being involved.

Canon EF 100-400mm f/4.5-5.6 L IS

11/02/2005 02:07:09 PM · #5

It's definitely not a placeholder... the domain was working just fine shortly after I set the DNS servers. This stuff really grabs my goat... I don't have her PIN number, so I'm only getting so far with the GoDaddy people.

The bad thing is that she's on a press tour at the moment, and has been on several nationally televised shows where she's mentioning the site! AAAH!

Strikeslip

Canon EOS-5D

11/02/2005 02:28:08 PM · #6

I would think that if someone were goin to knowingly hijack a domain name, they wouldn't do it to link it to some lame search engine. I think it's some sort of screwup. Maybe a bad router? ;-)

Stagolee

Kodak Easyshare C180

Canon EF 50mm f1.2 L

11/02/2005 02:45:42 PM · #7

Originally posted by mk:

This is a big problem in Australia, 2 companies are notorious for it. I think this could explain it.

Prof_Fate

11/02/2005 03:43:56 PM · #8

When you have a name registered with GoDaddy you go to the domain name management console page and you have the option to lock the name. This prevents anyone, even you , from messing with it.

Not that i see how that would matter - if i have to log in and unlock, then anyone that can log in can unlock too. If they can't log in, then they should not have access to change things.

If anyone tries to mess with it, the person listed as a contact will get an email.

I am up on this cause i am in teh process of transferring a name to someone else as i gave up being webmaster.

Tamron SP AF 28-75mm f/2.8 XR Di for Canon

11/02/2005 04:19:18 PM · #9

Originally posted by Prof_Fate:

When you have a name registered with GoDaddy you go to the domain name management console page and you have the option to lock the name.

The domain was locked when she gave me the account information... I unlocked it to change the DNS, and locked it again afterwards. It was unlocked for a period of no more than 5 minutes...

Prof_Fate

11/02/2005 04:23:32 PM · #10

Its those damned terrorists!

Message edited by author 2005-11-02 16:23:39.

jab119

11/02/2005 04:25:24 PM · #11

I wonder is someone is hacking the server where the site is located.

my web site got hacked several time this year. I would delete .asp and html files they placed to mess my site up and re-upload my stuff they deleted.

this went on for about 3 weeks before my host finally locked out the hackers

James

Canon EOS-20D

11/02/2005 04:30:21 PM · #12

Originally posted by jab119:

I wonder is someone is hacking the server where the site is located.

That shouldn't really have anything to do with the registration of the domain.

Tamron SP AF 28-75mm f/2.8 XR Di for Canon

11/02/2005 04:57:05 PM · #13

Originally posted by jab119:

I wonder is someone is hacking the server where the site is located.

No, that's a completely separate issue. All the files are fine. It's obvious that the DNS settings have been moved without authorization.

I do have a support ticket in with GoDaddy... so I'm anxious to see what will come of it. Within 24 hours, I'll either be singing their praises for such wonderful support, or bashing them and swearing to move our 100+ domains off of them :)

Canon EOS-20D

11/02/2005 05:06:03 PM · #14

I've heard good things about GoDaddy's customer service and they've been good for me as well (I register all my personal and freelance domains through them) so hopefully you'll have good luck. Please let us know how it turns out!

Art Roflmao

Canon EOS-6D Mark II

Canon EF 24-105mm f/4.0 L IS

11/02/2005 06:43:22 PM · #15

As someone mentioned, the whois record indicates it is registered to Navigation Catalyst Systems, Inc - if that is not the correct information then there are maybe 2 possibilities: Either the domain expired and they snatched it up (not likely if you said she just reg'd it a few weeks ago) or it was transferred / hijacked without authorization. I suspect that even if you had her pin for GoDaddy, the domain name would not be listed in her account. Seems that the only solution is direct contact with GoDaddy - they may not give you any access info, but they should be able to explain WTF is going on.

As a side note - I deal with these issues all the time and have many clients who had popular domain names with some amount of traffic and they let them expire and they were immediately picked up and routed to a porn site. One of the clients was a photographer and she used her full name in the domain name - she was pissed, but nothing you can do. The domain names can be monitored for expiration and some of these unscrupulous people look for highly or even moderately traffic'd sites and when they expire they are able to get them usually for $6 or so and they attempt to capitalize on the previous traffic volume for at least a short time.

I also recently had a client who accidentally let their business domain names expire and they were registered by a third party affiliate of MelbourneIT which had disappeared some time ago, yet they didn't have an account to log into at MelbourneIT (even though that's where the whois record said they were reg'd) and after they expired, one was immediately snatched by a website-spam-spewer (like the one that is posted currently at robandambermariano.com) and I had to work like hell on behalf of my client to get the other domain from MelbourneIT at a cost of $60.

-Ken

Strikeslip

Canon EOS-5D

Canon EF 100-400mm f/4.5-5.6 L IS

11/02/2005 06:59:06 PM · #16

I'd still try swapping out routers with a known good one.

conglett

Nikon D70

Nikon AF-S DX Zoom-Nikkor 18-70mm f/3.5-4.5G IF-ED

11/02/2005 07:08:57 PM · #17

Just jiggle some cables. I'm sure it'll be just fine! If that doesn't work, you can spew milk on it and hope that clears things up.

Stagolee

Kodak Easyshare C180

Canon EF 50mm f1.2 L

11/02/2005 07:30:15 PM · #18

Originally posted by kpriest:

who accidentally let their business domain names expire and they were registered by a third party affiliate of MelbourneIT which had disappeared some time ago, yet they didn't have an account to log into at MelbourneIT (even though that's where the whois record said they were reg'd) and after they expired, one was immediately snatched by a website-spam-spewer (like the one that is posted currently at robandambermariano.com) and I had to work like hell on behalf of my client to get the other domain from MelbourneIT at a cost of $60.

-Ken

That was one of the companies I was talking about

Art Roflmao

Canon EOS-6D Mark II

Canon EF 24-105mm f/4.0 L IS

11/02/2005 07:34:10 PM · #19

Originally posted by keegbow:

Originally posted by kpriest:
MelbourneIT

That was one of the companies I was talking about

I suspected.

Stagolee

Kodak Easyshare C180

Canon EF 50mm f1.2 L

11/02/2005 07:42:29 PM · #20

They send renewals out early to businesses who have accounts elsewhere and the unsuspecting business pays not realising that they are actually switching companies.