1. Home
  2. Hijacked Domains

Our Domains Were Hijacked What it Took to Get Them Back

When it all started:

March 22, 2008 Saturday
12:46:12 We received an email from Dreamhost support stating that our email address was changed. We responded, "We did not change our email address." We went to the control panel and changed it back.
March 23 Sunday
Our Support History inside the Dreamhost Control panel says that the domain Whois Information was modified for newenglandsite.com
March 24 Monday
23:25:08 Our Support History inside the Dreamhost Control panel says that the domain Whois Information was modified for all domains - (the email address was changed on all of them)
March 25, Tuesday
Dreamhost notified us that the cluster "Spunky" was down. Our forum members reported the metaldetectingforum down.
March 26, 2008 Wednesday
Our Support History inside the Dreamhost Control panel says that the domain newenglandsite was requested a transfer. We did not receive an email.
March 28th Friday
We received an email from Dreamhost saying that our email address had changed on our account. We responded that we did not change our email account. We went to Dreamhost and the email was changed to a name similar to our email address. We changed it back to ours. We did not check the account any further, since Dreamhost was having problems with the Spunky cluster, we thought it was some sort of glitch.
Saturday March 29th
We realized something was wrong with the gometaldetecting website, that the stats were not correct. We contacted Bluehost via the chat and they said, "That domain is not registered with us it is registered with netfirms.com." We logged into NPSIS and saw that 8 of our domains were missing.

We sent an email to support@npsis.com immediately and tried to call them. (Their offices are closed till Monday.) We contacted netfirms.com via a chat. They said, "No one has a password to access your account. I said, "That is the problem, that is not my email. They said to mail them the information at abuse@netfirms.com

We filed an online complaint with ICANN >> We filed a online complaint with IC3.gov

We saw that our sites were being uploaded to HostMonster.com and contacted them via a chat. Mitch said, "You have to contact the registrar where the domains are registered at. We contacted support@godaddy.com and informed them of the situation. They did not reply that night.

Sunday March 30
We received an email from Dave saying that our domains were for sale on sitepoint.com, he wanted to know why the emails were different. We sent a PM to sitepoint.com Admin, they responded that they can not get involved in third party disputes.

We received an email from my sister, who tracked the hijacker to HostMonster.com She sent us information on his account. See a screenshot

We started printing all the Whois information for all of our websites and our account information at the hosting companies, in case he tried to change it. We started getting emails from the forum members. "What's wrong with the forum?" We notified Adsense that our domains and content was hijacked and he put his publisher ID on them.

Monday Mar 31, 2008
At about 11am we called NPSIS 1-919-386-0361. The person that answered introduced himself as "Wendall" I said, "Is this the "abuse" department?" He said, "We don't have an abuse department." I told Wendall that our account was hacked, and that our domains were being "hijacked". Wendall said, "Oh cr*p" we need to get on this right away!" Send me a list of the domains that are suppose to be in your account." I said, Okay, do you want me to send it to support@npsis.com? He said, "No, send it to accounting@npsis.com and I'll give it to the boss, so they can start working on it." So we hung up and sent the list, and then didn't hear anything from NPSIS all day.

We contacted the registrars where our domains were moved, we contacted IC3.gov again. A forum member said he was part of the Infragard Program and he contacted them.

The hijacker still has our domains up for sale. We traced his IP to Vietnam because he uploaded the metaldetecting forum and signed in as Admin. See a screenshot. He also added a Paypal donate button. Several forum members donated! We told them the site was hijacked and that we would reimburse them. See a screenshot

We received an email from Karl at Dreamhost.com that said the user that changed the email address had an IP from Vietnam. Dreamhost contacts godaddy about the domain hijack.

April 1st, 2008 Tuesday
On Tuesday, I called NPSIS again and Wendall answered, I asked him if there was any progress on the situation, Wendall said, "They are still investigating it." I said let us know the progress ASAP.

We signed up for the Whois Domain Monitor, to watch what the hijacker does to the domains.

Netfirms support sent us an email to say they froze the account for the hijacker and we had 7 days to come up with some information. I located all of the receipts, and wrote them a brief history of the gometaldetecting site.

April 2nd, 2008 Wednesday
On We'd we received an email from Wendall at accounting listing the domains that were hijacked, and the remaining domains. And he informed us that the username, password, and email was changed on our account by the hijacker. We forwarded this email to all the registrars where the domains were moved and also notified a Cybercrime lawyer in NJ.

-The hijacker started changing the Whois info and uploaded our entire forum to Host Monster. A forum member called us and said he turned on ActiveX. We reported this to Hostmaster and they froze his account. So he opened an account at DNSexit and reuploaded our forum and files. Some domains he pointed back to our hosting companies, because I had re-uploaded all the files for the remaining domains.

When I realized that he was pointing to our hosts, I changed the index.html pages to say, "This domain is hijacked, please contact the administration if you see this website for sale on a website. This domain is not for sale." In response, the hijacker realized what I had done, and started moving the domains around to other hosting companies, and uploading the files that he had stolen from our account.

In the afternoon, we called NPSIS because we were afraid that they did not lock down the account, and to please send us a new password and user name. I received an answering machine even though it was 2:45pm CST. and I left a message.

I got on the Bluehost chat and they gave me the number for the abuse dept. The abuse dept emailed us our welcome letter and billing history, which we forwarded to netfirms, and sent a legal letter to netfirms.com for the domain, prayingscriptures.com.

We were told by a forum member that the domains on sitepoint auction had SOLD! But after checking it, we realized the hacker had signed up under a different username and sold them to himself to end the auction quickly, because of what I did to the index pages.

April 3, 2008 Thursday
I awoke this morning to find out all our website files on Dreamhost had been deleted again. I contacted Dreamhost support.

-We received an email from the hijacker asking us if we wanted to buy back our domains for $15,000! We did not reply.

Godaddy sent us an email and wanted all kinds of information, to prove the domains belong to us. Godaddy sent us forms to fill out and we sent them back. They created an account at godaddy for us. Still working on getting the newenglandsite.com back.

We sent netfirms all the info on gometaldetecting, including a brief history. Netfirms emailed us an said they set up an account for us. So something is moving in the right direction.

The hijacker bought a domain and uploaded our metaldetectorreviews files to it. He redirected metaldetectingforum.com to his new $1.00 domain, and is tricking forum members to donate to his Paypal account. See a screenshot
He put up a jumper page on our naturalcurereviews website. See a screenshot.

April 4, 2008 Friday
Worked on retrieving metaldetectingforum.com from domainsite.com. Called them, but they just said, "We''re working on it." Called NPSIS at 1:15pm, no answer, left a message letting them know what was going on and remind them to lock down our account.

Started uploading all the files again, after I located my Security holes in our Dreamhost Control Panel.
1. Lock your IP to your account.
2. Make the password long and unguessable, with some caps and numbers. (under My Profile > Security)
3. Click the little box that says Secure the FTP. (Click User Accounts >> Edit)
4. Uncheck a box that says "Authorize an Anonymous FTP User without a password." I can't remember where I saw this, I believe when I unchecked the box, the option disappeared)

Removed all of the Adsense ads to avoid click fraud from the hijacker. Called godaddy.com about newenglandsite. They said they're looking into it. They opened an account for us and transferred 4 of the domains to our account. Changed the DNS's as fast as we could. So at this point we have 6 of our domains back. Godaddy sent us a form for newenglandsite.com, we filled it out and emailed it back.

April 5, 2008 Saturday
Gathered all the receipts about metaldetectingforum.com including our LICENSE # receipt for the "vBulletin forum script" we purchased, and sent it to support@domainsite.com. They took down the hijackers redirect.

-We received an email from the hijacker that said, "I will be back." We did not reply.

Found some websites on "How to Hack!" Did some serious studying about hackers and hashing. We couldn't believe that there are websites on the web that teach people how to hack, and even the software for them!

April 6, 2008 Sunday
Received an email from Godaddy saying that the transfer of newenglandsite.com to our account was pending. We logged in but the domain was not there. Gave them a call, 480-505-8877, they walked us through the transfer. We told them about the hacker's email. We reset the account info and the DNS.

Someone called us and said that the hijacker copied and pasted our friend's metal detecting site on his $1.00 domain. We sent off an email to our friend.

A guy called us from Canada saying that the hijacker is still trying to sell our domains on sitepoint. So we added, "THIS DOMAIN IS NOT FOR SALE," on all of our websites so nobody would get ripped off.

Waiting on domainsite.com support. NPSIS has not contacted us again.

April 7, 2008 Monday

We got a call from a forum member who said the hacker uploaded our reviews site to DNSexit.com and redirected metaldetectingforum.com to it, See a screenshot and that the forum is up and running again. See one of his posts

Waiting on domainsite.com support. Gave them a call at 10:45am, received an answering machine.

Recieved an email from a lady saying we should report this to the Federal Trade Commission See what we sent them

11:45am - Sent off another email to support@domainsite.com. Started checking DNSexit.com to see how we can get our content taken down.

Went to the hackers $1.00 domain metaldetectingworld.info and saw that he has our friends entire website on his. Our friend's website is metaldetectingworld.com Compare the two.

We called DNSexit support, and the guy that answered knew very little English. He said, "I cannot help you, contact ICANN. I can do nothing..." and hung up on us.

We called domainsite.com again, I got to talk to Scott. Scott said to email our "proof of ownership" to him, so we did. He said he would give it to the legal department, and they would get back to us. He said the last email they got from us was April 2 !!!!???? We also sent Scott a link to this page.

Called our friend, Sergei, with the metaldetecting site that was copied. He said he was trying to get in touch with DNSexit to file a complaint. We said, "Good Luck, they sound like they're outsourced to India."

Still waiting on domainsite.com support....

April 8, 2008 Tuesday

12:30pm CST Good News!!!! We got an email from Scott at domainsite.com and they have parked the domain! We emailed him back and thanked them, and asked them if they needed more information from us. Scott said they sent an email to the hacker, and want to wait a couple of days for him to respond.

2:00pm CST We receive a call from a webmaster that said we can notify the forum members that were "tricked into donating" to this hijacker's PayPal account, can go to PayPal and have the charges reversed.

Note to Forum Members: We contacted vBulletin and they said your passwords on the hacked forum are not at risk, because they are "hashed" in the database.

Note to other webmasters on godaddy: If your email address changes in your account, you will not receive an email from godaddy that it was changed. Security hole?

We got a reply from the Federal Trade Commission, but it was a standard "Thank you for your submission."

April 9, 2008 Wednesday

A forum member called us and said that the hacker now has ALL of Sergei's content and pictures on his $1.00 domain.

We just received an auto-response email from Netfirms.com, apparently the hacker is back and trying to get our username and password sent to him. I sent a ticket to support. "Is this something we should be concerned about?"

2pm cst - The hijacker is mass emailing our forum members from the hijacked forum control panel... asking for donations.

We contacted PayPal about this guy. Waiting on domainsite.com support to contact us...

April 10, 2008 Thursday

Called PayPal and talked to the Fraud Dept. They said they can do NOTHING!

Sent off a email to Scott at domainsite.com support, "Give us some good news!"

Waiting on domainsite.com support to contact us...

April 11, 2008 Friday

Blocked the hacker's IP from accessing any of our domains

Still waiting on domainsite.com support to contact us...

April 12, 13, 14, 15, 16, 2008

Waiting on domainsite.com support to contact us...

On April 16 domainsite transfered the domain metaldetectingforum.com back to us. YAY!

So now we have recovered all 9 of our domains.

From April 16 to April 26 we spent alot of time rescuing the forum members from the cloned forum and warning them about the spam emails the hacker was sending to the forum members in Vlad's name. 

Then on April 27 we found out that the hacker had bought another domain and uploaded one of our websites to it. 

On April 28th we  faxed a DMCA complaint to Google Adsense. One of forum members also sent a complaint to the registrars where the hacker's domains were registered, and the registrars froze his account and took down the domains.

April 30 - Wed. The hacker bought another .info and uploaded the forum to it and mass emailed the forum members using our email address (cloaked)

Sent an email to the owner of EVERYDNS.net and ask him to shut him down.

The hacker is somehow sending guests to our forum, and they are from all over the world, and they are using NT 5.0, NT 5.1, or NT 6.0 We are getting a new guest every 5 minutes, and the count is up to 1350 guests right now at 10:27am

Conclusion

We believe the hijacker has been working on this for a long time, and even went to the trouble of getting a similar email address that no one would notice the misspelling. We believe he tricked the NPSIS registrar into giving him our password, because if you can't login you are suppose to "call them." Or he ran a hacking program to get our password, or AOL has a security hole

All of the registrars have been supportive and helpful, but the red tape is incredible. But I guess that is good. The burden of proof it's "your domain" is on you. Make sure your "Who is" is always updated with the correct information. Make sure you know your way around your Control Panels.

Do not fall asleep at the wheel! Be Aware, this is not 2002 anymore, this is 2008. There is a domain hijacker in Vietnam on the prowl, and many more like him. Batten down the hatches! Do not be lazy if you value your domains and websites.

Screenshots - his hostmonster/facebook accounts >> hacker ip >> jumper page >> he has stolen all our files >> responses on the forum to newbies >> tricking members to donate >> Form sent to the FTC

What if this happens to you?

1. Contact the new registrars immediately. Most registrars have an abuse@theircompany.com
2. Change all your passwords immediately, to a longer, nondictionary password with numbers and some caps.
3. Sign up for DomainMonitor to watch your domains. Print out the Whois information.
4. Start gathering "proof of ownership" receipts and anything you have about the domains.
5. Keep in continual contact with the registrars.
6. Be ready for a week of nerve racking waiting.

Many thanks to our forum members who have spread the word like wildfire throughout the metal detecting community, and has gone out of their way to keep this hacker at bay.

Many thanks also to our prayer partners, pastors, and supporters of prayingscriptures.com for their prayers.

Personal Pages Caring for Deaf Kitten CoolTan Clothes 1950's Memories Aging Gracefully Unplugged the Phone 1900s Women Fashion My Dell 1000 Laptop Fix a GE Prodigy Dryer Freezer Won't Freeze! 1990 Jeep Wrangler 1996 T Bird 1993 Astro Van 1989 Sundance Grow a Small Garden 1998 Emails Things Kids Say Funny Lists Spiritual Poems Encouragement Poems for Friends Outrageous Jokes Web Links Web Links I Like Holiday Recipes Teens & Credit Cards Hale Family Tree Home Remedies Hard or soft water? Stop & Shop Peapod Safeway Delivers!