關於 perl.com 域名被劫走這件事

目前一切已經復元，brain d foy 寫了一篇完整的文章報告此事始末: The Hijacking of perl.com

基本上看來是只有網域本身因為某個原因，被轉移到他人名下，然後在一月下旬 DNS 修改開始生效後，大家才開始注意到。網站內容等其他部分似乎是沒被侵入。

依這兩段文字，起因似乎是入侵者用偽造文書的方式去取信於 Network Solution (原註冊商)，成功修改網域所有權人資訊後，又兩次轉移了註冊商。事後查起來，這轉移或許在去年九月就發生了，而且受害者應該還有不少人，不只 perl.com 一個網域：

This part veers into some speculation, and Perl.com wasn’t the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There’s no reason for Network Solutions to reveal anything to me (again, I’m not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported.

John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder.

但看來註冊商的轉移並不是立刻發生，依 ICANN 規定有個 60 天鎖定期。如果哪天自己網域的持有人資訊突然變了，或許就表示已經被劫走了。但在這 60 天內要恢復原狀或許比較簡單一些。

看來得有事沒事就查一下 whois。