As I almost lost "Great words", or "responsibility" of the office Online.ua
In November, I had an interesting event - I was subjected to a hacker attack, the purpose of which, as it turned out later, was to take away from me the domain of my project “Great words” - www.greatwords.ru - about which you may have previously read on Habré. In this topic, I want to tell how it happened, and who, apart from me, is to blame (although you can guess from the title). Perhaps my experience will be useful and will help other people avoid an unpleasant situation like the one in which I found myself.
It all started on the morning of November 11th. I went to my sap.in site to update something and was surprised a lot when I saw the ISP manager stub instead of the site. I must say, on my VDS it’s ISP manager that’s worth it, and I’d be the first to search for the error on the server, if not for the Flagfox plugin that I’ve got. This plugin displays the flag of the country in which the site server is located. My VDS, like myself, is in Kiev, and now in the address bar there was a tricolor Russian flag. Having performed the ping sap.in, I, as expected, did not see my IP at all.
How could this happen? There are two options - either problems with my NS-servers, or someone changed the data. After breaking through the domain on whois, I realized that, alas, the second - NS in my domain data were not mine.
')
The sap.in domain and some of my other domains are registered with Reggi.ru. When I tried to log into the domain control panel, I received an error, a letter on the password recovery request did not come, and I realized that it was a serious matter.
Now we need to make a digression and tell about the situation with my e-mail, in which, of course, I myself am guilty. The fact is that I became a Reggi client for quite a long time, more than three years ago. Then I somehow managed to use the services of the office (you cannot call it a company, and later I will explain why) Online.ua. It was there that my mailbox was located (for the sake of security, I will call it my-old-mail@online.ua), to which the Reggi account was registered. I didn’t use this box a long time ago, having switched to GMail a couple of years ago, and just put a shipment on it. Immediately I will say that in order not to return to the topic of mail, that, in addition to my GMail (let's call it my-general-mail@gmail.com), I also used mail from my domains using Google Apps. Then I made another mistake, but more on that later.
As one would expect, the password to my-old-mail@online.ua did not fit, and the answer to the secret question too. As a precaution, I changed all the passwords that were important to me (including GMail), although at that moment I assumed that it was my-old-mail@online.ua that was hacked and considered the possibility that I was thrown into a trojan, unlikely. After that, I wrote to Reggi.ru support (I take this opportunity, I want to thank them for their promptness and help in this difficult situation for me) and described the problem. The support service, at my request, blocked the account and informed me that in order to change the contact e-mail I need to send a signed application to Moscow by mail with a request to change the address and copies of my passport, and also to speed up the recovery process, send scans of these documents to them by e-mail . What I did, asking to change the address to my-general-mail@gmail.com, and making the third, but I hope, the last mistake.
Having sent the documents, I went about my business and forgot about it for a couple of hours. After a couple of hours, I decided to check my mail, and was unpleasantly surprised to find that I could not log in to my-general-mail@gmail.com. When I tried to recover the password, I saw that the phone number for recovering the password was changed to someone else's, and an address in the .cc zone, in which I never had domains, was added to the alternative e-mail address. Everything became clear. Now about my second mistake. I don’t know if Google’s defense mechanisms are like that, or it’s just a cracker’s carelessness, but the list of alternative addresses for password recovery also includes the address I’ve indicated. And everything would be fine, but ... It was an address on the sap.in domain, and the domain was sent to the NS hacker. Thus, at the moment I had no chance to recover the password because of my mistake - I tied my boxes in a circle.
I was a little lucky - I remained logged in with my ticket, which Reggi.ru wrote. I immediately went there to report that the mail to which I asked to establish access was also hacked. Here I was in for an unpleasant surprise. The following message appeared on the ticket:
Need I say that I did not write this message? Of course, I immediately report the situation and ask you not to unlock your account. Thanks Reggi.ru, they did not unblock it.
The situation is stalemate. I register the address my-temp-mail@gmail.com and send a request to restore a Google account through the appropriate form. The answer will come in a day. What else can I do? I decide to write a letter to my box and get in touch with the burglar. Soon the answer comes to me:
In ICQ, we wrote off the next day. I will not give the whole log, as it will take too much space. The bottom line is this: the hacker wanted to get my domain greatwords.ru. If I refuse to give it to him voluntarily, he threatened, using my scans, which, of course, were in the mail my-general-mail@gmail.com, to forge my documents, put a fake seal, allegedly certified by a notary, and sending them registrar, thus gaining control of the domain forcibly. In the case of a voluntary transfer, he even promised to pay me a certain amount.
Of course, I refused. I replied to the threat of forgery of documents that I would fly to Moscow on an evening flight and be at the registrar earlier than his drop. After 10 minutes of silence, the hacker informed me that I could “not be soared”, and that I won. It makes no sense for him to continue, because in any case I will return my return. And he promised to return everything that was stolen. Will he tell me in this case the password from my-general-mail@gmail.com? Of course, but only on Monday (the conversation takes place on Saturday), from work, as he has VPN and socks there. I really wanted to believe it, but since when do you need a VPN and socks to tell a password? So he is lying. I pretended to believe him. Let him think that he managed to deceive me, it will give me an advantage.
I contacted Reggi.ru. They advised me to contact directly to the Ru-Center - the domain name registrar greatwords.ru. They were advised to send them by regular mail a letter requesting to prohibit the transfer of domain rights without my personal presence and thereby protect themselves from forgery of documents. I sent such a letter on the same day. Now everything depended on the speed of the mail, on the Ru-center and on the actions of the cracker.
I will not pull the rubber. Soon the letter arrived at the Roux Center, and from that moment the transfer of rights to the domain without my personal presence became impossible. During these few days, the cracker did not have time (or did not want) to re-register, and the domain remained with me. I also managed to restore access to my-general-mail@gmail.com. With great difficulty - it helped only that at that time I had a recently received Google Adsense check in my hands. Only with his help I managed to prove the support of Google that I am myself. Having access to my-general-mail@gmail.com, I restored all the accounts I had stolen, and a little later, control over the Reggi account, and, accordingly, all my domains.
I turn to the final part of his story. Surely, you wonder how the attack was carried out. I deliberately separated this part from the main narration. At first, as I mentioned, I assumed that my-old-mail@online.ua had been hacked. After losing access to GMail, I was already sure that I had grabbed a Trojan - I did not see another explanation. But I was wrong - there was no trojan. I managed to restore the picture of what was happening only by analyzing the contents of the box while it was being used by the hacker, by talking to the support service and, in part, by the hacker. Everything happened as follows.
A cracker, interested in my domain greatwords.ru, checked his data on whois. The e-mail address my-old-mail@online.ua was listed there, since the Reggi account was registered to it. A hacker identified my registrar by NS or IP. Further, he wrote to the support of the Sharashkin office at online.ua and these idiots, at his request, deleted my account my-old-mail@online.ua without any evidence. After that, the cracker registered him and got access to the domain control panel. Having sent the sap.in domain to his server, he picked up mail on it and, thanks to my stupidity with alternative e-mails, was able to access my-general-mail@gmail.com. So, the human factor together with the complete irresponsibility Online.ua made this situation possible.
I want to warn everyone who uses the services of Online.ua. Be careful. Transfer all important registrations to another mail, because one day your account can simply be deleted at the request of the unknown. If your friends use Online.ua, warn them. This is an absolutely irresponsible provider who doesn't care about the privacy of your data and your security.
As a conclusion, I will give the text of my shipment with them. Yes, I wanted to talk with them after all this, although, of course, I was not going to have anything to do with them. Their reaction is very revealing.
I:
Online.ua:
I:
Online.ua:
I:
Online.ua:
I:
In response, silence. That's all.
Be careful. And do not use the services Online.ua.
It all started on the morning of November 11th. I went to my sap.in site to update something and was surprised a lot when I saw the ISP manager stub instead of the site. I must say, on my VDS it’s ISP manager that’s worth it, and I’d be the first to search for the error on the server, if not for the Flagfox plugin that I’ve got. This plugin displays the flag of the country in which the site server is located. My VDS, like myself, is in Kiev, and now in the address bar there was a tricolor Russian flag. Having performed the ping sap.in, I, as expected, did not see my IP at all.
How could this happen? There are two options - either problems with my NS-servers, or someone changed the data. After breaking through the domain on whois, I realized that, alas, the second - NS in my domain data were not mine.
')
The sap.in domain and some of my other domains are registered with Reggi.ru. When I tried to log into the domain control panel, I received an error, a letter on the password recovery request did not come, and I realized that it was a serious matter.
Now we need to make a digression and tell about the situation with my e-mail, in which, of course, I myself am guilty. The fact is that I became a Reggi client for quite a long time, more than three years ago. Then I somehow managed to use the services of the office (you cannot call it a company, and later I will explain why) Online.ua. It was there that my mailbox was located (for the sake of security, I will call it my-old-mail@online.ua), to which the Reggi account was registered. I didn’t use this box a long time ago, having switched to GMail a couple of years ago, and just put a shipment on it. Immediately I will say that in order not to return to the topic of mail, that, in addition to my GMail (let's call it my-general-mail@gmail.com), I also used mail from my domains using Google Apps. Then I made another mistake, but more on that later.
As one would expect, the password to my-old-mail@online.ua did not fit, and the answer to the secret question too. As a precaution, I changed all the passwords that were important to me (including GMail), although at that moment I assumed that it was my-old-mail@online.ua that was hacked and considered the possibility that I was thrown into a trojan, unlikely. After that, I wrote to Reggi.ru support (I take this opportunity, I want to thank them for their promptness and help in this difficult situation for me) and described the problem. The support service, at my request, blocked the account and informed me that in order to change the contact e-mail I need to send a signed application to Moscow by mail with a request to change the address and copies of my passport, and also to speed up the recovery process, send scans of these documents to them by e-mail . What I did, asking to change the address to my-general-mail@gmail.com, and making the third, but I hope, the last mistake.
Having sent the documents, I went about my business and forgot about it for a couple of hours. After a couple of hours, I decided to check my mail, and was unpleasantly surprised to find that I could not log in to my-general-mail@gmail.com. When I tried to recover the password, I saw that the phone number for recovering the password was changed to someone else's, and an address in the .cc zone, in which I never had domains, was added to the alternative e-mail address. Everything became clear. Now about my second mistake. I don’t know if Google’s defense mechanisms are like that, or it’s just a cracker’s carelessness, but the list of alternative addresses for password recovery also includes the address I’ve indicated. And everything would be fine, but ... It was an address on the sap.in domain, and the domain was sent to the NS hacker. Thus, at the moment I had no chance to recover the password because of my mistake - I tied my boxes in a circle.
I was a little lucky - I remained logged in with my ticket, which Reggi.ru wrote. I immediately went there to report that the mail to which I asked to establish access was also hacked. Here I was in for an unpleasant surprise. The following message appeared on the ticket:
Need I say that I did not write this message? Of course, I immediately report the situation and ask you not to unlock your account. Thanks Reggi.ru, they did not unblock it.
The situation is stalemate. I register the address my-temp-mail@gmail.com and send a request to restore a Google account through the appropriate form. The answer will come in a day. What else can I do? I decide to write a letter to my box and get in touch with the burglar. Soon the answer comes to me:
In ICQ, we wrote off the next day. I will not give the whole log, as it will take too much space. The bottom line is this: the hacker wanted to get my domain greatwords.ru. If I refuse to give it to him voluntarily, he threatened, using my scans, which, of course, were in the mail my-general-mail@gmail.com, to forge my documents, put a fake seal, allegedly certified by a notary, and sending them registrar, thus gaining control of the domain forcibly. In the case of a voluntary transfer, he even promised to pay me a certain amount.
Of course, I refused. I replied to the threat of forgery of documents that I would fly to Moscow on an evening flight and be at the registrar earlier than his drop. After 10 minutes of silence, the hacker informed me that I could “not be soared”, and that I won. It makes no sense for him to continue, because in any case I will return my return. And he promised to return everything that was stolen. Will he tell me in this case the password from my-general-mail@gmail.com? Of course, but only on Monday (the conversation takes place on Saturday), from work, as he has VPN and socks there. I really wanted to believe it, but since when do you need a VPN and socks to tell a password? So he is lying. I pretended to believe him. Let him think that he managed to deceive me, it will give me an advantage.
I contacted Reggi.ru. They advised me to contact directly to the Ru-Center - the domain name registrar greatwords.ru. They were advised to send them by regular mail a letter requesting to prohibit the transfer of domain rights without my personal presence and thereby protect themselves from forgery of documents. I sent such a letter on the same day. Now everything depended on the speed of the mail, on the Ru-center and on the actions of the cracker.
I will not pull the rubber. Soon the letter arrived at the Roux Center, and from that moment the transfer of rights to the domain without my personal presence became impossible. During these few days, the cracker did not have time (or did not want) to re-register, and the domain remained with me. I also managed to restore access to my-general-mail@gmail.com. With great difficulty - it helped only that at that time I had a recently received Google Adsense check in my hands. Only with his help I managed to prove the support of Google that I am myself. Having access to my-general-mail@gmail.com, I restored all the accounts I had stolen, and a little later, control over the Reggi account, and, accordingly, all my domains.
I turn to the final part of his story. Surely, you wonder how the attack was carried out. I deliberately separated this part from the main narration. At first, as I mentioned, I assumed that my-old-mail@online.ua had been hacked. After losing access to GMail, I was already sure that I had grabbed a Trojan - I did not see another explanation. But I was wrong - there was no trojan. I managed to restore the picture of what was happening only by analyzing the contents of the box while it was being used by the hacker, by talking to the support service and, in part, by the hacker. Everything happened as follows.
A cracker, interested in my domain greatwords.ru, checked his data on whois. The e-mail address my-old-mail@online.ua was listed there, since the Reggi account was registered to it. A hacker identified my registrar by NS or IP. Further, he wrote to the support of the Sharashkin office at online.ua and these idiots, at his request, deleted my account my-old-mail@online.ua without any evidence. After that, the cracker registered him and got access to the domain control panel. Having sent the sap.in domain to his server, he picked up mail on it and, thanks to my stupidity with alternative e-mails, was able to access my-general-mail@gmail.com. So, the human factor together with the complete irresponsibility Online.ua made this situation possible.
I want to warn everyone who uses the services of Online.ua. Be careful. Transfer all important registrations to another mail, because one day your account can simply be deleted at the request of the unknown. If your friends use Online.ua, warn them. This is an absolutely irresponsible provider who doesn't care about the privacy of your data and your security.
As a conclusion, I will give the text of my shipment with them. Yes, I wanted to talk with them after all this, although, of course, I was not going to have anything to do with them. Their reaction is very revealing.
I:
Hello.
First of all, thank you very much for having deleted my account my-old-mail@online.ua without any confirmation at the request of an unknown person. Thanks to your breakthrough, he managed to register this mail after you deleted it and steal the domains and main mail from me. Until now, I have not managed to restore all this.
I demand to immediately block the account registered by the attacker and grant me, as the original owner, access to it.
Without respect
Andrey Sabinin.
Online.ua:
Hello!
No one has deleted your account. How can you prove that this is your inbox?
I:
Here is an excerpt from a conversation with a cracker. He blackmailed me, but he did not succeed, after which I managed to get information on hacking from him.
16:01:53 burglar: Troy on a computer you do not have, just online.ua asshole
16:02:20 sap: I thought that you through the online. I broke at the beginning
but then I don’t understand how you got to gmeyl
16:02:27 cracker: If you go bust with them, they can remove the soap, and of course, I can register it. Everything.
16:03:28 hacker:> sap (17:02:19 11/13/2010)
> I thought that you broke through online at the beginning
> but then I don’t understand how you got to gmeyl
Redirected the domain to some kind of VDS, created a mailer there, created a soap *** @ *** retrived
And I am sure that I really didn’t have a trojan and I don’t see any other ways of hacking. Will you claim that you didn’t do anything with my account?
What evidence is needed to restore access?
Online.ua:
Hello!
Give the answer to the security question you specified when registering the box my-old-mail@online.ua
I:
I registered this box three and a half years ago and have not used it for more than two years.
What was the question there?
Online.ua:
The registration date of the box is my-old-mail@online.ua 11/10/2010 21:36:51 and not three and a half years ago.
I advise you not to write to technical support. Do not waste our time and yours.
I:
Did you even read what I wrote before? Naturally, the new registration date is 10.11, since it was registered by the attacker after you deleted it!
If you refuse to contact me by e-mail, let us know the address of your office or legal department, as well as your name, so that I can make a complaint to you.
In response, silence. That's all.
Be careful. And do not use the services Online.ua.
Source: https://habr.com/ru/post/109517/
All Articles