R01 + Timeweb, your sites are at risk
This morning, a number of clients whose web server support I implement received letters of happiness about changing DNS servers:
The reconciliation with whois really confirmed the seriousness of this letter, identical dns appeared everywhere, and the fact that several clients complained about this problem at the same time made me try to deal with the problem globally, without studying hacking of one client.
So, the first letter arrived around 6 am Moscow time, on August 30.
1) We try on the site r01.ru to go to the "Login for customers" section, the link to the link pleases cyclic redirection and browser error.
2) We call r01.ru, a sad young man reports that they know about the problem with the section, you need to wait 6-8 hours.
3) The same saddest young man reports that they also know about the problem with domains registered by TIMEWEB partner, and you need to wait for the same 6-8 hours, after which the DNS will return to their previous state.
4) We write taiveb support chat, we get a not very encouraging answer:
5) Sites are starting to resolve to the left ip addresses and drop out of the Yandex search.
6) At 12:00 Moscow time, the r01.ru panel earned, however, an attempt to change the dns produces a message:
7) One of the clients already reports a loss of 300 thousand rubles (decrease in sales in one of the online stores), and some complain about banners that offer to extend the member by 10 cm in 4 days. What's next and who will compensate for this?
As in the post habrahabr.ru/post/265699 all web clusters, replications and other things turn out to be useless, against “wait 6-8 hours” from the registrar.
8) At 12:30 Moscow time, whois begin to return the correct dns.
Support timesweb reports on:
9) At 13:00 Moscow time, partner.r01.ru works in Schrödinger panel mode.
Domain:
domain: *******. RU
admin-o: ******* - GPT
* nserver: ns - *******. awsdns-34.org
* nserver: ns - *******. awsdns-58.com
* nserver: ns - *******. awsdns-12.net
* nserver: ns - *******. awsdns-30.co.uk
state: REGISTERED, DELEGATED
created: 29-11-2011
changed: 30-08-2015
paid-till: 29-11-2015
mnt: TIMEWEB-MNT-GPT
source: R01
replaced by:
')
domain: *******. RU
admin-o: ******* - GPT
* nserver: ns1.hostingnewfree.ru
* nserver: ns2.hostingnewfree.ru
state: REGISTERED, DELEGATED
created: 29-11-2011
changed: 30-08-2015
paid-till: 29-11-2015
mnt: TIMEWEB-MNT-GPT
source: R01
The reconciliation with whois really confirmed the seriousness of this letter, identical dns appeared everywhere, and the fact that several clients complained about this problem at the same time made me try to deal with the problem globally, without studying hacking of one client.
So, the first letter arrived around 6 am Moscow time, on August 30.
1) We try on the site r01.ru to go to the "Login for customers" section, the link to the link pleases cyclic redirection and browser error.
2) We call r01.ru, a sad young man reports that they know about the problem with the section, you need to wait 6-8 hours.
3) The same saddest young man reports that they also know about the problem with domains registered by TIMEWEB partner, and you need to wait for the same 6-8 hours, after which the DNS will return to their previous state.
4) We write taiveb support chat, we get a not very encouraging answer:
5) Sites are starting to resolve to the left ip addresses and drop out of the Yandex search.
6) At 12:00 Moscow time, the r01.ru panel earned, however, an attempt to change the dns produces a message:
A job for this domain is already in the queue.
7) One of the clients already reports a loss of 300 thousand rubles (decrease in sales in one of the online stores), and some complain about banners that offer to extend the member by 10 cm in 4 days. What's next and who will compensate for this?
As in the post habrahabr.ru/post/265699 all web clusters, replications and other things turn out to be useless, against “wait 6-8 hours” from the registrar.
8) At 12:30 Moscow time, whois begin to return the correct dns.
Support timesweb reports on:
Indeed, this morning, attackers changed NS servers for some domain names.
9) At 13:00 Moscow time, partner.r01.ru works in Schrödinger panel mode.
Source: https://habr.com/ru/post/265711/
All Articles