[Hidden-tech] Web URL hijack, update

Rich rich at on-the-net.com
Thu Nov 8 09:52:13 EST 2007


A few notes, for reference we are a Tucows RSP (reseller something 
something).

1) Domains go through a two step (fuzzy plus) expiration process, 30 
days to be renewed
and then 40 days to be 'redeemed' by the owner - then they are supposed 
to be released
to the open market for reuse.  The fuzzy is that some registrars either 
renew themselves
for parking pages (those strange search/advertising pages)  OR some how 
they just get
stuck -- NetSol being really good at that.  At some point after the 
official expiration
date the registrars are allowed to 'park' a domain and get any revenue 
they can for
the advertising on the parking page.

So the net-net what you saw was the parking page from eNom and that is 
why you
were able to recover it so quickly -- a lesson to all - check your 
domain(s) at least monthly
and get a registrar or reseller who works for your interest.

2) Tucows is a registrar directly with one level of resllers, sounds 
like your case
has Enom doing 2 level of reselling

3) I know of no connection of eNom and Tucows and couldn't find one on a 
quick
scan of our Tucows dealer information

4) Whois is in fact a 2 step process however any recent whois client 
actually does a two
step look up starting with the TLD whois manager.  Also, I looked up 
your host IP
at the TLD name servers so things had been fixed by the time I looked, 
or had
not propagated to reach all name servers - could have been at either end 
of the problem.

You don't usually see the intermediate step unless you can request a 
verbose lookup,
Our first step looks like this

=====================================
whois server for *.com is whois.crsnic.net ...
connected to whois.crsnic.net [199.7.55.74:43] ...

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: TNRGLOBAL.COM
   Registrar: TUCOWS INC.
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net
=======================================

Jim's looks like this:
=====================================
whois server for *.com is whois.crsnic.net ...
connected to whois.crsnic.net [199.7.52.74:43] ...

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: NATIONAL-WIRELESS.COM
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
=========================================

Isn't the internet fun :)

Rich


ussailis at shaysnet.com wrote:
> Here's what happened.
>
> I was not hijacked, but the URL registeration payment was not credited to
> my account.
>
> Of course the URLs were paid for at least a month before the due date, more
> than 2 months before the cutoff date. There are two problems that occurred
> because of the way URL registrations are now renewed.
>
> 1. The actual registertation passes thru several vendors. The guy that does
> the service for me is a reseller for another, higher level, registrar, who,
> it turn, is also a reseller for a higher level registrar. I believe the
> final registrar for my URLs is Enom. Somehow they are related to Tucows.
>
> They were paid some time ago for 4 URL renewals. They renewed one,
> www.rf-wireless.com. The rest fell thru the cracks on their end.
>
> Now here is the second issue...
>
> 2. Whois doesn't work they way it did. In the past doing a whois search
> brought up all the current data for a URL...any URL, registered thru
> anybody. 
>
> Now a whois search must be done at the web site of the final feeder in this
> registation chain to bring up current correct data. A gereral whois brings
> up data, but not necessarily current data. 
>
> The business that I use to renew URL registration checks every URL they
> rebew with a general web whois search. They just discovered this problem,
> and now are checking all their clients.
>
> Enom fixed their mistake. Quickly. I don't know how much business I might
> have lost, but I have learned to watch this stuff more carefully.
> Fortunatelly my businss is not a many clients, each client providing a
> small amount business, but rather it is few clients / year, each
> representing a substantial amount of business. So I probably haven't lost
> any.
>
> My thanks to all who responded, esp to the fellow who called. He also
> noticed the problem. 
>
> To all those with business URLs, I can say, find out who the top feeder in
> this registration business is for your web site, and check the info for
> your URL. 
>
> I am looking into a 10 year renewal. By then I'll be so old I won't care
> anymore.
>
> Jim Ussailis
> jim at nationalwireless.com
>
>
>
>
>
> Original Message:
> -----------------
> From: ussailis at shaysnet.com ussailis at shaysnet.com
> Date: Tue, 6 Nov 2007 11:50:20 -0500
> To: hidden-discuss at lists.hidden-tech.net
> Subject: [Hidden-tech] Web URL hijack
>
> Something new to me, and perhaps something for us to watch out for...
>
> My URL has been hijacked. There is a new site up on it
> (www.nationalwireless and www.national-wireless.com). The new site is
> strictly advertising. It pretends to be a search engine, but it only
> searchs among a limited number of advertisers.
>
> As I understand it the "pointing" to the URL has been changed. It appears
> that www.NuSeek.com is also involved. I have found several other emails
> complaining about this.
>
> For us that are very busy, we should take (find?) the time to check our
> websites. I have no idea how long this has been going on, nor how many
> clients I may have lost.
>
> If any are interested, www.rf-wireless.com is a representation of my real
> site. The other two 'pointed' to this one.
>
> Jim Ussailis
> ussailis at shaysnet.com
> ussailis at verizon.net
>
>
>   

-- 
Rich Roth
CEO On-the-net

Bringing you complex online systems since the net was young
http://www.tnrglobal.com - http://www.on-the-net.com/rr/




Google

More information about the Hidden-discuss mailing list