my brothers domain and sites

[MrDude]

somebody got into both of his servers last night and deleted everything, backups, sites, everything off both

then his most profitable site myrwawr.com has been directed to a copy of the site on another server, looking exactly the same except the adsense publisher ID has been changed to the hackers.

looking at whois it seems to have transferred some time ago, from domainsite to enom.

This is a pretty big blow for him as this is his full time job and he nor I am really not sure which route to go down as if i remember correctly registrars never help.

Any help anybody?

[sdsinc]

So the domain has been hijacked too ? Which registrar ?
I hope google will help identify of the thief based adsense id.

[jberryhill]

myrwawr.com is not a registered domain name.

What you are describing does not appear to be a domain name issue unless, as noted by sdsinc, the domain has been hi-jacked also.

Breaking into a web server and taking control of a site is a separate issue.

Quote:

if i remember correctly registrars never help.

Many registrars can be extremely helpful if you (a) can be specific about what is the problem and (b) are correct about what is the problem. Quite often, registrars have to deal with questions and problems that don't have anything to do with the domain name or are otherwise the result of incorrect information and/or misguided domain registrants.

For example, in your post above, you identify a domain name that does not exist and describe a problem that is not a domain name problem.

I'm not saying your brother doesn't have a domain name problem, but if he does, you haven't described what it is yet.

[MrDude]

Ah sorry, main domain is:
# Myrawr.com

but hes told me other domains have gone too, I will find out what they are asap.

the thief has taken copies of the website content before deleting the origionals and backups off 2 servers, he/she seems to have transferred the domain last month, and has gone un-noticed until today when my brother found all files deleted and was going in to change the nameservers when he realised they werent there! Upon closer inspection of the websites, the thief has just changed the adsense publisher ID (to their own im assuming), Google have allready been contacted about this, aswell as the registrars, but im assuming the registrars will do nothing about this?

Any ideas anyone?

Just found this posted on another forum were my brother posted:

Quote:

Which leads to:
IP address [?]: 208.110.69.34
IP address country: flag United States
IP address state: Missouri
IP address city: Cameron
IP postcode: 64429
IP latitude: 39.734001
IP longitude: -94.222900
ISP [?]: WholeSale Internet
Organization: WholeSale Internet
Host: server.scribbytech.net
Local Time: 2007-08-27 08:55


scribbytech.net - is up and running..

Now, if i remember rightly, a namepros member runs scribbytech.net, unfortunately I cannot contact him as my account over there is closed, could somebody ask him to read this post over here and email me at paul rogers 250 @ gmail . com (without spaces), I would like to know who owns that hosting account if it is infact hosted on his server.

[Devil Dog]

Quote:

Originally Posted by MrDude

Ah sorry, main domain is:
# Now, if i remember rightly, a namepros member runs scribbytech.net, unfortunately I cannot contact him as my account over there is closed, could somebody ask him to read this post over here and email me at paul rogers 250 @ gmail . com (without spaces), I would like to know who owns that hosting account if it is infact hosted on his server.

Sent a pm to user 'scribby' over on np.

[MrDude]

24.184.57.25 2007-08-07 08:03:39 success
24.184.57.25 2007-08-07 11:04:24 success
24.184.57.25 2007-08-08 01:01:55 success
24.184.57.25 2007-08-08 02:58:24 success

Login history on domainsite for the hijacker

[Banned: danielg]

optonline.net cable modem...dynamic IP. you never know if it was really the hijacker or the hijacker used ool-18b83919.dyn.optonline.net [24.184.57.25] as a proxy. that's what sucks about this

you need some experts to think this through and get a logical approach. however, not very smart to talk about strategy on a forum where the hijacker can possibly be reading and plan ahead to cover any tracks.

[jberryhill]

Quote:

Any ideas anyone?

Yah... you need to be clear and specific about the facts.

Putting aside the question of the servers for a moment and concentrating on the domains...

You refer to "registrars". Is there more than one registrar involved, how? At what registrar was the domain name registered? Does your brother still have access to that registrar account? Is the domain name in that account?

I get the impression that there are two things being conflated here, when only one thing might have happened. Or... both things might have happened, but that seems a bit odd.

[MrDude]

so far 5 domains have been taken

they were taken from the domainsite.com account and transferred over to the hijackers namecheap account, there were 4 gone today and a 5th one went a few hours ago so I called domainsite up for him and had them put a hold on all domains, but they cant do anything about the domains allready gone.

The hijacker has the full myrawr.com site up, including databases, and the only change being their google adsense publisher ID, this is the first time i have seen anything like this, the whole domain and website stolen!

[jberryhill]

Oh.. it happens....

http://www.arb-forum.com/domains/decisions/1008008.htm

Quote:

so far 5 domains have been taken

Do you think you could at least list the domains and BE SPECIFIC about what happened when?

You left two questions up there unanswered.

There's a reason I ask....

This is my last try to find out exactly what happened. If someone else wants to pick up here, feel free....

In the meantime, your brother needs to quit using that hotmail email address for his domains, and I assume he has already changed the password (using an UNcompromised email address) on the Domainsite account, yes?

I'm also guessing that he used the same password and/or email account for the hosting account yes?

[Dave Zan]

Quote:

Originally Posted by jberryhill

Many registrars can be extremely helpful if you (a) can be specific about what is the problem and (b) are correct about what is the problem.

And (c) are being polite, although that's also a challenge for some.

MrDude, better start talking to the registrars involved if indeed any of their
registration details have been recently changed. And as John said, be correct
and specific about the problem.

However, I'll also add that some registrars will want to work with those whom
they're able to verify as having been originally listed on the domain names. If
you weren't but your brother was, they'll probably want to deal with him.

[jberryhill]

Quote:

If
you weren't but your brother was, they'll probably want to deal with him.

Well, there's always that, too.

[scribby]

Quote:

Your password is 692 days old, and has therefore expired.

wow its been a while since I've been here!

I've had 2 namepros members contact me regarding this thread, sadly I cannot be of any help as I no longer own the server in question, I would recommend contacting wholesaleinternet.com as they own the server.