After reading numerous accounts (27 and counting) of people's domains being stolen I decided to investigate the situation more closely. What follows is my personal investigation.
Without jumping to any conclusions as to how all of these domains were hijacked, I gathered the facts and sat back to see where the common denominators were.
All of the domains had GMail accounts listed in whois.
Many of the domains were hosted with GoDaddy
Many of them had Alexa rankings of less than 10,000
While the GoDaddy connection was interesting, the fact that all of the hijacked domains had GMail accounts stood out as the real common thread.
It's still not clear how the hijacker was able to obtain access to the GMail accounts it is clear that using a GMail account for your domain registrations may not be a wise decision. We have seen infectious code on websites designed to either steal cookies or check to see if the visitor also has GMail opened in another window.
A few cases involved visiting a webpage while GMail was opened and the webpage doing a POST to a GMail interface and injecting an email filter into the visitor's GMail settings.
Typically the injection would include filters that would automatically skip the inbox and forward emails from register.com, godaddy.com and dreamhost.com to another GMail email account.
Then with forwarding set and knowledge of the registered email address, the hijacker would have use GoDaddy's website to obtain the customer number, which requires a verification email. Armed with that information, the hijacker would go back to GoDaddy and have an Authorization Code for password reset, sent to the registered email address.
The password would be sent to the email address, which would be forwarded to the hijacker and then they could move the domain to another registrar, change the website and benefit from the traffic to that website.
Or in some of these recent cases, the hijacker asked for $2,000 in order to "give" the domain back.
How did this happen?
Creating a filter in your GMail account sends a request to the GMail server farm. The request is an obfuscated URL with each section identifying the filter, the account, etc.
Many of the parameters passed in the URL can be generated accurately but one parameter needs the cookie from the account holder's computer. They can obtain this quite easily with any general cookie stealing technique (there are many).
What can you do?
For starters, this isn't the first exploit of GMail accounts. I would switch all of my domains to be registered to a different email address.
Secondly, I would pay the extra money to have your domain information listed as Private. This way your contact information will not show up on whois searches. GoDaddy offers Protected Registration if you're already listed with them.
Third, if you do use GMail, check your filters often. And check your deleted items as well. You never know what you might find in there.
Anyone here have any stories to share about domains hijacked?
For all newly created domains, they will automatically adopt a DNS template which I've set up in Plesk. But for my own domains (not clients) I've changed my MX entries in my DNS Settings section to point to the server of that of Gmail (Google). The primary server with the highest priority is "aspx.l.google.com"
To get to the point... I receive emails on the Gmail interface, which is stored on the Gmail server, though I have a slight problem when it comes to local emails. In other words...when my server sends out an email to myself (either from a contact form, daily log files, etc...) I don't receive the emails through the Gmail interface, but rather through my POP server, which is logical, since my server is most probably configured to use "mail.yourdomain.com" and not "aspx.l.google.com".
Question : How can I have both incoming emails (from other domains/servers) and local emails (from my own server) go through the Gmail server? I'm guessing that I'll have to edit Sendmail or PHP or something, though I'm not sure, that's why I'm posting this.
Sorry if the post is a bit confusing. I tried my best to explain the situation, though if you have any questions, please respond with them.
I have a domain when we send mail through any email id of this domain to Gmail it goes to spam folder but in yahoo and hotmail it goes into inbox folder.So how i whitelist my domain in gmail so my mails go into inbox.
I have also submitted this require or issue in gmail support but no answer.
my log watch and see things like this each day and some days more, does this mean someones is trying to gain access to the server by hunting for the passwords?
Log Watch so I am just asking for some advice out there.
--------------------- SSHD Begin ------------------------
Failed logins from these: apache/password from ::ffff:200.206.107.12: 2 Time(s) ftp/password from ::ffff:200.206.107.12: 2 Time(s) mysql/password from ::ffff:200.206.107.12: 2 Time(s) root/password from ::ffff:200.206.107.12: 2 Time(s) root/password from ::ffff:61.186.188.168: 260 Time(s)
I can't remember the name of the utility that lets you watch what a process is doing. You call it on a PID and you can see all the memory allocations, file IO, library loading, etc. that the process is doing as it happens. Anyone know what I'm thinking of?
I'm about to upgrade my co-locationed server from twin 2214 Opertons (dual core 2.2GHz) to
twin 2378 Opertons (quad core 2.4GHz). [Got to love the upgrade path on Opertons, single core to 6 core on the same socket.] I know I'll need to do a Bios upgrade but is there anything else I should worry about. I want to minimize downtime as much as possible.
I had two server from LT for few years. I was happy with the server until 6 month ago. I got an email from LT and was told the price will be increased. I have not choice but paid what they asked. I got another email few days later, again LT increased price. I think it's fine if they increase the price. The problem I got is: LT increases the price but at same time LT still offer same package I had back to few years to their new customers. I called LT, they told me they can do nothing. Today I looked the offer carefully. Here's detail. ------------------------------------- Dual-Processor Opteron 248$59/Month RAM:2GB Hard Drive(s):2 x 160GB SATA Free upgrade to 2 x 250GB Bandwidth:3300GB IP Addresses:8 (5 Usable) Notes:No Reseller Discount Setup Fee:$999 setup --------------------------------------- Ha, $59 not bad deal at all. But watch out, $999 setup fee. Think this, LT will increase your price two years later. Then monthly cost will be $59+$999/24=$100 OR if LT increase you price one year later, your cost will be $59+$999/12=$142. Just think twice before you order from LT.
I have recently removed my Servers from Moxie Hosting, and I think that if you are reading this you should know what this Commpany is all about..
When I signed up Last year for a year Contract, Sean Corbin, Stated to me that they have own suite at an other location that the cage my equipment was in was tempuary, and that they would be opening a new suite, when I moved to 8th floor and was told that the that suite was their, which it was not, Watch out for thier 100% up time, they have been having problems with power, sence the moved and and till a week ago, they keep blaming the building, and that I would not get any recourse, because Sean Corbin has stated to me that it wasn't his fault and that not his problem,
They also stated that they have a tec on site 24/7, not true, they have an on line tec that can remotely look at issues, but when I need to get access to my server when I need to fix a issue I had to wait for a tec to show up, and if is after hours its a longer wait because Sean Corbin has no tec on site, I have asked to worked on my server during days, he also staited that he dosn't go to suite during days, and he only works nights.
Im working at time with ffserver ... i test ffmpeg with flash streaming and it works perfectly but i want to do anoter step.
Im trying to do a streaming of a file to watch that movie in Windows Media Player. The problem is that i have a lot of errors of "buffer underflow" when i stream the video.
I Post My Config:
Port 8090 BindAddress 0.0.0.0 MaxClients 1000 MaxBandwidth 10000 NoDaemon
We have several Cpanel account(web sites) with different IP in one box. Then we cut down to one single IP. While as the Cpanel is not availble, I re-configured apache to bind account to domain name , instead of IP as previously configured.
So before when I use a user name like "james" to ftp, it was working, but not now. Now, I have to use james@domain.com to to ftp.
Someone changed pure-ftp setttings somewhere which I don't know how he did it and I actually don't know if he helped or not on this problem.
At least , ftp is working. But I really do want to know the relevancies between these matters.
Cpanel is not available yet ( not licensed ); IP being cut from sereval to one which supples multiple web sites; Pure-ftpd seems needed to be configured.
How do I stop my add-on domain from appearing in the search engine as a sub-domain? For example, it shows up as example.com/test.com. I only want test.com.
still newbie question, if I use whmcs for my billing system, I see the client always start with typing in a domain, if they choose a new domain, what will I do with it? do I have to get a domain reseller account to deal with it?
I am having a reseller hosting with a host. This host provides private DNS. Hosting provider remains Anonymous. So when some one search for whois they will not know I am running a reseller hosting biz.
Now I am planning to change the hosting provider to another one who provides higher capacity and higher bandwidth but they will not provide DNS. I need to use their DNS.
How do I provide get a my own DNS so that host remains Anonymous?
I have a hostee who as part of an out-of-court settlement, needs to change the primary domain they host on. The domain they're switching to is already a parked domain on their account. At first blush, it seems like it would be pretty easy, but now I'm concerned about their email. Both of the principals of the company use Horde extensively for webmail, and as such I have files on the server for their email accounts. What I was thinking about doing is this:
1. Stop parking the "new" domain on the account. 2. Change the account from using the "old" domain in WHM to the "new" domain by modifying the account in WHM. 3. Forwarding email sent to user@old.domain to user@new.domain, in CPanel. 4. Assorted changes on website to account for the new domain - published email addresses, new SSL cert, things like that.
My concern is in how to move the mail files, currently set up to be for user@old.domain, to be readable by Horde as user@new.domain, so it's seamless to the users. We will be keeping the old domain under our control, but not using it to point to the site any more; I just don't want to have to tell them "OK, to get your old email, you have to check this address, and to get new email, you have to check this one."
Would my plan above actually accomplish that? Is there a better way within a WHM/CPanel framework to accomplish what I need without losing email or access to it? What am I missing?
I have a VPS account with WHM/Cpanel console access. I have three domains that I am trying to setup. Within WHM I have setup three different accounts, one for each domain. I am able to login to the cPanel for all three accounts. This also created a new web directory for each domain in /home/domain_name/public_html/. I have placed my default index.php in all three public_html with the same permissions. But only 1 domain is working the other two are not. What am I missing? I have confirmed that all three have the correct DNS servers with godaddy and I can do an nslookup on all three. My provider told me to share the IP so that is what I am configured as..
I have several domain names and I pay for hosting for each domain name. Each domain name gets little traffic, uses little bandwidth, and little storage space. I would like to pay for hosting once and share the bandwidth and storage space amongst the multiple sites. Do you know of a hosting company that offers this? I suppose it would involve having one hosting account and multiple IP addresses that resolve to different folders in your account?
