12:29 About how I had stolen the domain and I stole it back | |
Dear habravchane! Stories, one of which happened to me, happen very often, that's just the ending, in my case is quite rare. For certain reasons in this article, I will not specify the domain and reseller. Those who can identify them, I earnestly ask in the comments are not made public. This happened in October 2010. Six months earlier - in early May - I was not re-purchased the site, the benefit of all pointed to the fact that my seller is the fifth or sixth of its owner. The transaction price amounted to 24 thousand rubles. I got: -username / password to administrator panel, domain reseller, -password to the mailbox xxx@mail.ru; -username / password to access your account firstvds.ru, where to find sites; -username / password to access the administrator of CMS Wordpress. Since the purchase was about six months, everything went on as usual, once in late September, my e-mail message arrived to restore the password for Wordpress. I quickly discovered that the mailbox xxx@mail.ru and reseller domain admin I have no more. Looking relevant records on the root ns-servers, I noticed that my domain pointers already link to another host - vds64.com. The answer to how this could happen, he came very quickly: I did not bother to change the recovery options for the box xxx@mail.ru (secret question and phone number), and someone who used them, took it well and access to the admin reseller, so as it was tied to the mailbox. All that's left - access to the account host, because there I still changed the contact email address. At that moment it did not matter, but I'll tell you that this is what me and saved. There could be no doubt that this one - no one other than my dealer. As luck would have it I learned about all this on his birthday. After a couple of days in which clear thinking about myself, I went to a very well-known forum for Silver Member status and registration of virtually since its inception involves a certain level of confidence in me, and went out on the person providing services on ... Let's just say: to restore access to stolen mailboxes. Three days later my new friend surprised me by telling me the current password from a stolen mailbox. The price of issue of 1500 WMR. Encouraged by how quickly everything is allowed, I went to the post and went to restore access to the admin reseller. Then I suffered a great disappointment: to obtain the password necessary to know the answer to your secret question, which I did not have ... In the study of the mailbox, I found that he carefully cleaned up: outgoing mail was not at all in my inbox was a letter from a reseller with reference to the password reset process, which, naturally, has not worked, and also created a ticket on the question of my dealer on why modified ns-servers are still not applied. As quoted in the question of my ticket seller stated enrollment. Again, I'll tell you that this was its first strategic mistake. Also in the box was a letter from the administration of Exchange Sape with a request to recall login to their system, at the same time tells a story about that, using the conservation of accounts in the browser Opera, as a result of failure of these data is lost. From this I concluded that my seller is quite young, if it uses such "social engineering", not realizing that by doing so only takes up technical support time. It took a day or two, and in the whois-domain data, I saw a different registration and postal address. I quote it as it is: babuwkamisha@gmail.com. Probably my dealer found the loss of a box on mail.ru and domain moved to another account from a reseller. A little distracted and briefly describe the security policy reseller: Username is the email address which can not match the address from the whois, there is a code word for communicating with tech support and security question for password recovery. Communicating with the reseller should happen with the postal address, login, and for which the fight will unfold. Entering the password recovery page a reseller, I have a new mailbox and received a sentence to answer the secret question. This meant that the account with the address of the reseller there, and my domain is most likely is in it. Once again, I turned to my new friend: -box on gmail? -I take a job. Imagine my surprise when, three days later I again get the current password is now from a box on Gmail. On the method of "hacking" I would write in a note. The price of issue was 80 WMZ. I must say that this ordering a second job, my hopes for success were already close to zero, because, as I described above, access to mail is not enough to regain control over your domain. As I expected, the box was pretty empty ... To pass the time I tried to enter the admin area of ??Wordpress to obtain the password. And, lo and behold, the password came up! Unfortunately, the administrative part reseller at that time did not work. Reseller explained this by accident at the datacenter. I can not express how impatiently I waited for the restoration of its work. It happened a day later, the password came up, I changed it to a new, changed dns-servers, reseller and details restoring the mailbox Gmail and pleased to bed. After waking up, I discovered that access to the mailbox and domain, I again do not. What the hell .. From frustration came to the account recovery page to Google. I want to say that in contrast to Mail.ru, the service also works very quickly. A little distracted and say a few words about her: hitting a mailbox, a person receives virtually unlimited data to restore access to it. Besides, if you have recently changed the password, the person who knows the previous password can be only one glance at your monitor to pick yourself your mailbox forever. So, about an hour later I received a link from Google to restore access. In the admin reseller was already another unknown to me the password, and retrieve it I needed to know the answer to your secret question. I wrote a letter to the reseller technical support with the request "remind" him, pointing at random, known to me the code word from the previous account, after which the reseller has kindly informed me that "my favorite city" - it's Marcel. Thus, my seller did not bother to change the code word on the new account, and it became his second strategic mistake. Once again, I changed all the details in the admin reseller, mostly - dns-servers as well as a mailbox can not be changed. After that, my salesman, who, according to Gmail, located in Ukraine, and appeared on the Web exclusively at night, again took his own in the same way. It's dragging a box for each other lasted three days. Next steps are obvious: it was necessary to transfer the domain to your new account on which login email will not coincide with the data from the whois. The problem was that the domain was transferred a week ago, a reseller There is a 30-day restriction on re-transfer. It was the third day of my ownership of a mailbox that was about 19 hours. Shortly before that I threw into account 80 rubles to "note" in it your purse, as the number of purse payer is an important element of security policy reseller. Suddenly it dawned on me that the remaining three weeks, I can not reach: the time of transfer access to a box I can no longer be. I wrote a letter to the reseller with their suspicions that someone is using my email (which, actually, it was, although the box was not really mine) and asked to remove the time limit. An hour later I was informed that the restriction is lifted, and I'm using a password and a code word, quickly moved the domain to a pre-prepared account. And very timely: since options to restore access to the box I did not get from Google. Among other things, I threw in the new account 500 rubles. and extended the domain, the benefit of the extension period ends after a month or two. In the evening, my salesman again gained access to the mailbox, then to the reseller admin, went to her ... and did not find her there in my domain. I think in this moment of his panic, because in the reduced box, he forgot to remove the shipment on the other addressed to me, so I got a chance to read all of his correspondence with the reseller. Realizing how lucky I halt, because, as you know, who owns the information - he owns the world, and saw his first letter, I burst out laughing. Here it is (to be read from the bottom up as a reseller letter - a response to my previous letter to the seller): Hello, To transfer the domain name you need to know the code word. Obtained by the attacker knew your code word? From what purse you refill your balance with us? 06.10.2010 22:35 - Michael Granny wrote (a): Customer Michael Grandmother with e-mail address babuwkamisha@gmail.com treats issue: Kind time of day. Recently bought without a renewal of the domain xxx.ru Sergei Semenov. Code word: xxx. Secret Question: What is your favorite city, the answer is: Marseille. I have transferred to your mailbox this domain: babuwkamisha@gmail.com. But a couple of days ago I was robbed by phishing soap vorostva password and gain full access to both the soap, and a domain admin, and changed the DNS server on your any. Today, I through Google restored access to my email, and now restored access to the admin.panel reg.ru, but the domain here is not found. How to track where you have moved the domain and how to get it back? Thanks in advance. Letter obviously written in great haste. Immediately after this the same night a reseller wrote me a question: Hello! Do not agree would you explain the origin of the domain XXX.RU on your account? You are the owner of this domain? To your ownership of this domain received the claim. I replied that my mailbox was stolen with all its contents. And also the fact that six months ago bought the domain for $ 800, that all this time he was on the server FirstVDS, paid for from my purse and I can prove it. This was followed by the continuation of my correspondence seller: Hello, How much did you pay for when buying a domain name? I learned this amount. This domain is attached to FirstVDS already since May 7 and up to now. Ie attacker obtained the domain will not attach. Do you have access to your account at FirstVDS? Domain is obtained at all times attached to the same hosting. If you is his rightful owner, you will not be difficult to do on the site any test site and deploy a proof text. 07.10.2010 00:35 - Babuwka Misha wrote (a): I'm on the mailbox in my inbox was a letter from the vendor with all the data to a domain. It is from an email: xxx-ru@mail.ru And contained in that letter, a variety of information about the site (that's a piece of writing): Access to admin wordpress http://www.xxx.ru/wp-login.php Login: admin Password: xxx https: / / Reseller Codeword: xxx Favorite city? Marseille I have exactly the same code word and secret question fill in your account, before I forget, when moved the domain to xxx-ru@mail.ru to your account gmail. Apparently having access to my email-in and co incoming messages have learned the code word and secret answer. Refill for 80 rbl. realized I did not. I'm certainly going to soon renew the domain since I think November 21 is the deadline for the domain, but the money never in your system will not start, that is, here are 80 rubles may cancel it's not out of my purse. And more information about this domain, which I gave Sergei Semenov: ------------------------- ------------------------- domain ------------ -------------------------------------- http://resellerxxx2 @ mail.ru old PassWord: xxx new password: xxx That is the domain was originally registered on xxx2@mail.ru, then to Sergei at the time Sale takes him to xxx-ru@mail.ru. And I then took him in the 20 days of September babuwkamisha@gmail.com. Such information is, I hardly think there is an attacker if you simply> ask about a given domain. In a letter-reply, wants to hear what action I can now carry or have I lost this domain forever? The following letter: Hello, You also wrote a letter to a pen that you have stolen email babuwkamisha@gmail.com ... And now you write about xxx@mail.ru 07.10.2010 20:10 - Babuwka Misha wrote (a): Yes, hosting for this domain is attached to firstvds.ru originally, and I have access to it was via soap ; xxx@mail.ru, as well as access to all otstalnomu, and everything is fine once was before the until revenge soap xxx@mail.ru I have not stolen. Access to firstvds can `t get too because of the fact that there have changed the password and account firstvds attached to the soap xxx@mail.ru.Отсюда all the problems. What soap I can not return, and that's why I started recently to transfer a domain from one account on your site to another account. Knowing the secret question and the code word I was easy to do in late September. And precisely because of the loss of hosting firstvds I just recently bought a new VDS to vds64.com, firstly it is faster and running (server specifications better), and secondly I was there configured to access could be restored anytime from my mobile phone, since safety is now is very necessary to me. In the admin domain after the transfer I recently interrupted DNS (or NS, I do not know how to) on the Here is my new bought VDS (ns1.vds64.com and ns2.vds64.com ). And an attacker stealing again domain again stuck it to the old firstvds, access to which he has. Imagine the reaction technical support staff, who gradually discovers that a customer stole two mail boxes in two different systems, secret answer and the code word, ie stole everything. The funny thing is, that's the way it was. Hello, You have not answered, for how much you bought this domain? 07.10.2010 21:20 - Babuwka Misha wrote (a): And that was stolen and a new email address. But this because I created it myself, thanks to Google services, I 3 times already recovering, and again lost this soap. Meanwhile yesterday delivered from Google - a program PC Tools Spyware Doctor. I have a laptop and the PC detected was the same threat: Trackware.TrackingCookies. All because of this infection. Next. Hello, Do you have contact with the owner of the domain from whom you bought it? 07.10.2010 22:15 - Babuwka Misha wrote (a): for $ 800. Another letter: Hello, Do you have proof of purchase of this domain? 08.10.2010 00:10 - Babuwka Misha wrote (a): No contact remained. He once sold, saying that he goes offline business, or auto repair reveals whether something else. He was no more nor no vkontakte etc. I must say that while I had my suspicions that this subject - this poor guy, whom my dealer just once more to sell the domain. However, over time, doubts disappeared: all the same children's "social engineering" course - this is my seller. In addition, some of the information, and very rare for my hearing the term "offline business" I've heard when buying on icq. After this reseller offered to send me screenshots Keeper and billing FirstVDS the proof of purchase and pay for hosting for the past six months. It seemed strange that the reseller has decided to embark on this clarification because the domain was transferred in accordance with all rules to all rules. However, it was even better - all the "trump card" were with me. I sent the requested data. Hello, How do you pay for hosting FirstVDS when he was still under the control of you? 08.10.2010 00:45 - Babuwka Misha wrote (a): No. I bought nalom, but received full access without re-registration of the domain. After this letter, my salesman was gone and I'm more of him did not hear anything. Periodically, I sent him a letter, disguised as spam, to check whether the shipment to me. It is included so far. It would be very interested to know that thinking about this story in the reseller tech support: they probably decided that we quarreled and then fought for the domain. Note: I think my dealer was right, and a Google account was actually "hacked" by a phishing link. With access to the box, I received a letter from a certain Urals Bank, where I was expelled, "my new details" with an attached document. Looking closely, I noticed that the "embedding" is actually located in the body and simply styled with attachment. When you click on the link "download" I got a copy of the home page Gmail. This was to bring me to the idea that the session on reset timeout and need to log in again. The link address was very long, it was attended by the word «google», but certainly not at the second level. Probably one of these letters, my salesman and he was caught. Thank you, that you have read my article. Hopefully, it seems to you an interesting and useful. UPD. In this story, I found it strange that: 1. 2. 3. | |
|
Total comments: 1 | ||
| ||