This Site’s Domain is Stolen
Published by Chris Coyier
Hey ya'll. This is (really) Chris Coyier. I had css-tricks.com registered on GoDaddy. It recently came to my attention that the ownership of this domain has been transferred away from my ownership to PlanetDomain. For now, thankfully the nameservers still point to MediaTemple, so the site is still up. That could change at any time.
I'm going to keep track of all this.
Timeline of Events
Sunday, November 13, 2011
Hacker gains access to my GoDaddy account and GMail account. He initiates the domain transfer away from GoDaddy: unlocking domain, changing registration information, putting in request from PlanetDomain. Emails are likely generated from all this activity but I saw none of them. Presumably the hacker deleted them from my GMail account.
Strange: My GoDaddy account password was never changed, nor does that password exist in my GMail account. How did he get in?
Monday, November 14, 2011
I wake up and can't log into GMail. I reset the password through cell phone verification (I still have this text message and a screenshot of it). I honestly didn't think much of it at the time. I thought of a few reasonable explanations for it and went on with my day.
Question: Was the hacker able to gain access to my GMail account by resetting the password, or did he gain access some other way and then reset the password to attempt to lock me out.
Sunday, November 20, 2011
In the evening of this day the domain transfer was completed away from GoDaddy and to PlanetDomain. Again the hacker was able to access my GMail, gaining access to the needed emails and getting the transfer verification codes, and then delete them so I never saw them. He changed the password to the GMail account again.
This same evening, I had a minor site hack. VaultPress caught it. In my index.php file in the root (effects the entirety of WordPress) a link was added to 8oc.com. Later I found this same exact thing happened to Kirupa Chinnathambi of kirupa.com.
Uh oh: does this mean the hacker has access to my MediaTemple hosting too? FTP access? Account Center access? None of these passwords were changed.
Monday, November 21, 2011
I wake up to be locked out of my GMail account again. Again reset the password through cell phone verification code. Again, stupidly, didn't think much of it. (Thought something like my 1Password got out of sync).
Uh oh: does this mean the hacker can reset my GMail password at will? I have two-step authentication turned on now, hopefully that will prevent this in the future. My passwords for GMail have always been totally unique and complex.
Friday, December 2, 2011
The day I found out about all this.
7:30am - I found out about all this from emails from David Appleyard. I immediately thought of David Walsh who this is also happening to. It's also happening to instantshift.com and sohtanka.com. None of us share a GoDaddy hosting account. These are all separate instances. Important to note: I received no email or phone call verifying the transferring of this domain. The email address in my GoDaddy account was unchanged.
7:45am - Called GoDaddy support at (480) 505-8877. Was not helpful. Was told just to email email@example.com (which I did immediately).
8:06am - I tweeted about the problem. GoDaddy sent me a DM saying to fill out a form, but the form was a 404 page.
Friday 8:30am - I got the correct link to the domain disptute form and filled it out. This included a scan of my driver's license. The website says it will be 3 days for an initial response. I hope it's sooner than that.
9:00am - I went to my banjo lesson because at least nobody can take that away from me.
10:10am - Trying to contact PlanetDomain (just assuming this is them). They don't seem to have an active Twitter account. Just sending an email through the contact form for now.
10:15am - Got generic email back from GoDaddy:
If they are unwilling to transfer the domain name back you will need to contact the current registrar or registrant for further assistance.
11:50 - Just got off the phone with GoDaddy (Tony in domain disputes and Alon in customer service, I think). The current status is that they have already sent a request to PlanetDomain, and the next step is to wait for them to do the due diligence and get back to GoDaddy with an answer on whether or not they will return the domain. This be a matter of days, or a week (sine it's Friday, very likely won't be until early next week). Other facts about GoDaddy:
- So far they have found this has happened to around 12 accounts, all within the "Web Design" genre (so most likely a targeted attack).
- There is no accessible log from with your GoDaddy account to see what/when things happened.
- They do have access logs, but they can't share that information with me.
- The domain was transferred away from GoDaddy the evening of Nov 20th
- They have, but cannot provide me with, the email address used to transfer the domain away.
- GoDaddy confirmed my global account email has never been changed, but it WAS changed for the domain css-tricks.com prior to the move.
- The request to unlock the domain happened on Nov. 14th at 4:30pm Mountain Time. Normally there is a 5-7 day waiting period, but GoDaddy offers instant transfer and they remarked that it was unusual that the hacker chose not to do that.
- They confirmed no other domains have left my account.
Friday 12:15pm - I asked VaultPress if they could tell me the IP address of the person who changed the index.php file, but they don't have that information. It might be in my server logs if I have them from that long ago.
1:05pm - Former employee of PlanetDomain tells me that it looks as if the hacker attempted to remove the nameservers, but the PlanetDomain system for that failed. (This line in the WHOIS: "No name servers present.") The hacker would have to call PlanetDomain to "fix" this, which they have not (thank god).
5:25pm - About the end of the work day here and heading in to the weekend, so it's unlikely anything will happen until early next week. I'd love to get at least an acknowledgment from PlanetDomain / NetRegistry that they've gotten the domain dispute from GoDaddy. But no such luck.
7:10pm - Send off an email to MediaTemple letting them know the issue. They aren't really involved, but if they can find for me the IP address that changed that file on the server on Nov 21st, that might be helpful.
Saturday December 3, 2011
6:05am - Heard back from MediaTemple. The server logs don't go back that far, so no dice on getting IP address from that.
Sunday, December 4, 2011
3:50pm - First contact from PlanetDomain - Christine Dela Fuente of the Customer Support Team:
Thank you for your email.
We are currently in communication with GoDaddy regarding this. We will
advise you via email of the decision.
I'm hoping the drastic time zone different between Australia and the U.S. doesn't inhibit communication between PlanetDomain and GoDaddy.
Monday, December 5, 2011
Sometime during the night the status of the domain (viewable from the WHOIS information) changed to "LOCKED". I think it was "ACTIVE" before. Also, the nameservers are now listed correctly (NS1.MEDIATEMPLE.NET, NS2.MEDIATEMPLE.NET) instead of "No name servers present." as it said before. I don't know the implications of this.
Thankfully, my nameservers have not yet changed. instantshift.com and sohtanaka.com have not been so lucky, their sites are now offline. My heart goes out to them, so awful.
The same happened to designshack.net, but David Appleyard was able to speak directly with PlanetDomain and PlanetDomain agreed to change his nameservers back to his, so his site is back online. That is a great first step of cooperation from PlanetDomain, yay!
9:40am - David Appleyard talked to GoDaddy this morning. They said: "I just talked to [PlanetDomain] about it this morning. It was the first thing on their plate."
1:10pm - David Appleyard spoke with PlanetDomain directly again. They said that the criminal's account has been suspended, so they no longer have access to make changes. I don't know for sure if css-tricks.com was in the same account as David's, but I hope it is.
5:00pm - Email from Christine Dela Fuente at PlanetDomain:
We will update you via email as soon as we hear from them.
EFF YES. Can't wait to see the domain back in it's original home.
Tuesday, December 6, 2011
10:00am From GoDaddy via Twitter:
3:00pm From GoDaddy via Twitter:
9:00pm Email from PlanetDomain:
Please be advised the domain css-tricks.com has been transferred back successfully to GoDaddy.
WHOIS data is back. Good stuff! Still waiting to see the domain back in my GoDaddy account.
Wednesday, December 7, 2011
7:45am - Domain is back in my GoDaddy account.
- This happened to David Airey as well. He attributes a Gmail Security Flaw (this particular flaw has been fixed) as to why he was never notified of the domain transfer.
- David Walsh received two emails on November 28th from firstname.lastname@example.org. One said: "trust me godady can't help you," the other: "pay 2k to get ur domain back .."
- This is not isolated to GoDaddy. Original registrants varied, see below.
- A former employee of PlanetDomain tells me that PlanetDomain is owned and operated by a Sydney company called NetRegistry(NR). He also tells me the domain is in "active" status which is good news for the possibility of moving it back.
- Official rules on Domain-Name Dispute-Resolution.
- Hackers News conversation (was on homepage entire day Friday)
- Slashdot conversation
Sites with Same Problem
davidairey.com - Resolved
abduzeedo.com - Prevented - Was able to stop domain transfer before it happened, but all signs indicate the same hacker tried to steal it (email@example.com) - Originally on DreamHost
css-tricks.com - Resolved Originally at GoDaddy, Bad Guy moved to PlanetDomain - Domain is back at GoDaddy.
davidwalsh.name - Resolved Originally at GoDaddy, Bad Guy moved to Name.com then to 1and1 (highly unusual and isn't supposed to be possible) - Name.com is was able to get it back from 1and1, although I don't think it was through cooperation on 1and1's part.
scriptandstyle.com - Resolved Originally at GoDaddy, Bad Guy moved to PlanetDomain - David Walsh is the owner of this domain. Transferred back to GoDaddy on December 6th.
sohtanaka.com - Unresolved Originally at 1and1, Bad Guy moved to PlanetDomain - Soh Tanaka's site is offline (nameservers were removed). PlanetDomain is ready to give the domain back to 1and1, but 1and1 isn't responsive.
designshack.net - Resolved Originally at GoDaddy, Bad Guy moved to PlanetDomain - David Appleyard is the owner of this domain. Transferred back to GoDaddy.
instantshift.com - Resolved Originally at GoDaddy, Bad Guy moved to PlanetDomain - Daniel Adams has domain back in GoDaddy account.
kirupa.com - Resolved Originally on NetworkSolutions, Bad Guy moved to PlanetDomain - Kirupa Chinnathambi has domain back.
shiachat.com - Resolved Originally on 1and1, Bad Guy moved to PlanetDomain. Stolen on October 8, went down on November 24. Ali A. is now has domain back (actually kept it on PlanetDomain instead of moving back to 1and1 because they are so awful).