Domain theft: What to do if during this mass attack you have been taken away

We are partners of the center, and the domain of one of our clients has been “taken away”.
Here was the first "lightning" about this attack habrahabr.ru/blogs/infosecurity/95705

Ricentre jamb - when I changed DNS I did not receive any notifications.
What the center has done is good - it has temporarily blocked the change of partner.

Hackers changed the access password and ns server.
')
BUT! He did not stop there. ATTENTION! Evil sly and disgusting.
As the ns-servers, the hacker registered the ns.names of the one-year-domain.ru and the same ns2, through the space, registered the ip of the transparent proxy server 62.122.75.80

Those. on the face of the first level of disguise.
The next front of mimicry - the server at the specified address transparently took content from the old ip address (I don’t know how).
I don’t know how long it would go on, but the hacker server started to crash and stopped bearing the load.

The site’s brakes and the Autluk’s refusal to work with the mail raised panic, first on the client’s side, then in our office.

What bewilderment and feeling of mysticism, you would know) Fast googling of aypishnik led to an article in runet about a massive hacking of domains (thanks,% username%!).

Then we acted quickly (after diagnosis).

So, the action plan, if you are a Registrar partner (nic.ru):

From the partner account, we change the domain administrator’s contact mail to the current one and initiate the password recovery, after which we change it.

Here it is necessary to act MAXIMALLY quickly, since the moment the mail is changed, the hacker will receive a notification about it. Domains they have taken thousands, they are unlikely to have time to quickly respond.
Already THEN changed the dns-server. It is important to maintain consistency, and act quickly.

If you are the owner of the domain, and there is no partner - feel free to roll the official letter to the registrar, and if possible, come with a passport.
Read more here www.nic.ru/dns/service/faq.html#common (if you are under the control center).

Employees of the center are recommended to prohibit changing the password from under the account (this is done by ticking in the admin panel).

To all owners of hosting sites, and who has a bunch of clients at the VPS, ping through the list of their domains, who distinguished themselves with an IP address - under a microscope.

Note homely hostess. ATTENTION! It is not known what information the hackers managed to record when the site was going through a proxy, so you need to change ALL passwords for accessing content on the site, mail, ftp, database.

PS I don’t know what to do with other registrars, mtw.ru and without any passwords and authorizations, they will change the ns-server directly by phone, reg.ru does not have its own partner base in a digestible form, by the way, with Rutsentr's position on the torrents.ru case, I don’t I agree.

pps good for the sake of - post it, like with other registrars it happens - repelling attacks, and share successful stories.

I will finish the post on a positive, managed to beat off the domain from Evil, which is what you want!