{"id":1548,"date":"2021-02-09T08:19:26","date_gmt":"2021-02-09T08:19:26","guid":{"rendered":"https:\/\/osintme.com\/?p=1548"},"modified":"2021-02-09T23:56:02","modified_gmt":"2021-02-09T23:56:02","slug":"the-curious-case-of-the-perl-com-domain-hijack","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2021\/02\/09\/the-curious-case-of-the-perl-com-domain-hijack\/","title":{"rendered":"The curious case of the perl.com domain hijack"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Originally published on Secjuice.com<\/a> on the 7th February 2020.<\/em><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

In late January 2021 disturbing news surfaced on Twitter<\/a> regarding the registration details of perl.com, the website of the once popular PERL programming language.<\/p>

It seems that suddenly the domain changed ownership and was moved to a different server from where it originally was being hosted.<\/p>

Usually things like this happen in relatively rare scenarios where a company (or an individual) forget to renew their domain and the ownership of it lapses, resulting in the domain name getting returned to the pool of available domains, from where it can get snapped up by any willing buyer.<\/p>

Exactly that happened years ago to Microsoft’s hotmail.co.uk<\/a> domain; it also happened to Foursquare<\/a>, and it happened to several other, more or less known online entities over the years.<\/p>

However, in the case of perl.com, this is NOT what occurred.<\/p>

The website was previously hosted by Network Solutions LLC using the Bitnames servers.<\/p>

But suddenly, on the 30th December 2020, the ownership of perl.com was transferred to a Chinese domain registrar Bizcn.com.<\/p>

On the 27th January 2021 the ownership was moved to Key-Systems GmbH, a German domain hosting provider. Notably, the servers also changed from Bitnames to Afternic (which seems to belong to GoDaddy).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

So this is a classic case of a domain hijacking.<\/p>

This happens when an unauthorized change of DNS<\/abbr> configuration occurs. Essentially, the name resolution for the domain is performed by a rogue name server.<\/p>

Through unauthorized access, the attacker alters registration contact details and claims ownership of any domains legitimately registered by the victim.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

It’s crucial to understand that the content of the hijacked website could change completely – or it does not necessarily change at all.<\/p>

It’s not very hard to clone the contents of the previous site and carry on with it as usual, after making malicious uploads that target the users.<\/p>

The bottom line is: changes to website hosting and DNS are not always reflected on the site itself, therefore using services such as The Wayback Machine<\/a> or Urlscan<\/a> will not always be helpful – instead, one needs to focus on the historical DNS examination.<\/p>

Which by the way is a very useful angle whenever conducting OSINT on any websites and IP addresses.<\/p>

Some of the resources that I found helpful for the historical DNS analysis of perl.com were:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t