Someone stole our domain name

Bean

My company accidentally let our domain name expire.
Now someone has taken it and the website tries to install a Trojan seedabutor.C

I realize that it was or fault for letting it expire, but is there anything we can do now ?
This will really hurt our business if we can get it fixed.

Any ideas ?

Thanks,
Bean

ElectricAye

I'm not a lawyer but depending on how specific the name is, you might look into trademark laws. There are laws about competitors trying to use company names to mislead and confuse customers. If your company name and/or domain name is somewhat generic-sounding, then the trademark thing might be harder to pursue. I think there are also laws against cybersquatting. Just a thought.

http://www.nolo.com/legal-encyclopedia/cybersquatting-what-what-can-be-29778.html

max72

I have a friend in the business (mainly .it domains, obviously..).
Usually you have a lot of e-mail warnings and there is a truce period in between. If you go beyond that there is little room. For the virus the provider or the owner are the only one that could act. For the name if it is very close to the company name to sue is a remote possibility.

xanatos

What's the domain name? Before I went full tilt with custom embedded control systems, I designed websites and did a lot with getting domain names back - sometimes from disgruntled former employees. I can look into it and see if there's any course of action that looks promising.

potatohead

Ouch!

Chances are, it's lost. You might be able to pay them, and you might get a legal answer, but both are going to take some time.

I would right now register something that makes sense, setup e-mail and such to work with it, and broadcast that to your contacts so that they can work with you at this time. Once that is settled, set about attempting to recover the old domain.

Have you ever wondered what new name you could use? Now is the time to brainstorm on that. Perhaps solicit suggestions with the winner receiving something of value.

Gadgetman

Start setting up the alternate name, but you also need to try to bring that trojan site down as quickly as possible.

Find out where it's hosted, then contact the hoster and tell them that they're hosting a malicious website.
(Unless it's in China, odds are that even 'bomb proof' hosters will take down a site like that to avoid bigger problems later.)
You may also contact the hoster's ISP or whoever they're uplinking through if you don't hear anything from the server host.
(I have gotten spamsites shut down by complaining to their uplink providers)

Feel free to use a disposable email addy when contacting hoster or ISP, though...

Bean

We have paid the register they said it will take a little time to get it setup.

The website is www greenrayindustries com but be warned the current site generates a security warning for Trojan seedabutor.C

I removed the dots so no one clicks on it.

Bean

xanatos

Thanks. I don't need to view the domain itself, just it's registrar records. I'll let ya know if anything shows up that is useful.

Dave

xanatos

Just putting this info here for future reference. Good news is that it appears the domain is USA owned and hosted, so US laws can apply. It's harder when it's registered to a foreign entity. More later...


Domain Dossier:

Queried whois.internic.net with "dom greenrayindustries.com"...

Domain Name: GREENRAYINDUSTRIES.COM
Registrar: DOMAIN.COM, LLC
Whois Server: whois.domain.com
Referral URL: http://www.domain.com
Name Server: NS1.ACCOUNTSUPPORT.COM
Name Server: NS2.ACCOUNTSUPPORT.COM
Status: ok
Updated Date: 30-jul-2013
Creation Date: 26-jul-2001
Expiration Date: 26-jul-2018

>>> Last update of whois database: Tue, 30 Jul 2013 16:33:05 UTC <<<
Queried whois.domain.com with "greenrayindustries.com"...

Registrant:
Dotster
10 Corporate Dr., Suite 300
Burlington, MA 01803
US

Domain name: GREENRAYINDUSTRIES.COM


Administrative Contact:
Support, Domain domains@dotster.com
10 Corporate Dr., Suite 300
Burlington, MA 01803
US
800-401-5250
Technical Contact:
Hostmaster, COOL hostmaster@choiceonecom.com
295 Main St Suite 200
Buffalo, NY 14203
US
7168531331 Fax: 7168531350



Registration Service Provider:
AccountSupport, support@accountsupport.com
1-866-642-4678



Registrar of Record: Domain.com
Record last updated on 30-Jul-2013.
Record expires on 26-Jul-2018.
Record created on 26-Jul-2001.

Domain servers in listed order:
NS1.ACCOUNTSUPPORT.COM
NS2.ACCOUNTSUPPORT.COM


Domain status: ok


Network Whois record

Queried rwhois.cogentco.com with "38.113.1.225"...

%rwhois V-1.5:0010b0:00 rwhois.cogentco.com
network:ID:NET4-2671010018
network:Network-Name:NET4-2671010018
network:IP-Network:38.113.1.0/24
network:Postal-Code:01803
network:City:Burlington
network:Street-Address:70 Blanchard Road, 3rd Floor
network:Org-Name:Endurance International Group
network:Tech-Contact:ZC108-ARIN
network:Updated:2007-09-17 22:20:06

%ok
Queried whois.arin.net with "n ! NET-38-112-0-0-1"...

NetRange: 38.112.0.0 - 38.119.255.255
CIDR: 38.112.0.0/13
OriginAS:
NetName: COGENT-NB-0002
NetHandle: NET-38-112-0-0-1
Parent: NET-38-0-0-0-1
NetType: Reallocated
Comment: ReferralServer: rwhois://rwhois.cogentco.com:4321/
RegDate: 2003-08-20
Updated: 2004-03-11
Ref: http://whois.arin.net/rest/net/NET-38-112-0-0-1


OrgName: PSINet, Inc.
OrgId: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US
RegDate:
Updated: 2011-05-27
Comment: rwhois.cogentco.com
Ref: http://whois.arin.net/rest/org/PSI

ReferralServer: rwhois://rwhois.cogentco.com:4321

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com
OrgAbuseRef: http://whois.arin.net/rest/poc/COGEN-ARIN

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com
OrgNOCRef: http://whois.arin.net/rest/poc/ZC108-ARIN

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ipalloc@cogentco.com
OrgTechRef: http://whois.arin.net/rest/poc/IPALL-ARIN
DNS records

name class type data time to live
greenrayindustries.com IN NS ns1.accountsupport.com 3600s (01:00:00)
greenrayindustries.com IN A 38.113.1.225 3600s (01:00:00)
greenrayindustries.com IN SOA
server: ns1.accountsupport.com
email: dnsadmin@accountsupport.com
serial: 2012120640
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 86400
3600s (01:00:00)
greenrayindustries.com IN TXT v=spf1 ip4:38.113.1.0/24 ip4:38.113.20.0/24 ip4:65.254.224.0/19 ?all 3600s (01:00:00)
greenrayindustries.com IN MX
preference: 30
exchange: mx.greenrayindustries.com
3600s (01:00:00)
greenrayindustries.com IN NS ns2.accountsupport.com 3600s (01:00:00)
225.1.113.38.in-addr.arpa IN PTR ip38-113-1-225.yourhostingaccount.com 43200s (12:00:00)
1.113.38.in-addr.arpa IN SOA
server: ns1.yourhostingaccount.com
email: admin@yourhostingaccount.com
serial: 2004012001
refresh: 10800
retry: 3600
expire: 700000
minimum ttl: 3600
3600s (01:00:00)
1.113.38.in-addr.arpa IN NS ns1.yourhostingaccount.com 3600s (01:00:00)
1.113.38.in-addr.arpa IN NS ns2.yourhostingaccount.com 3600s (01:00:00)
-- end --

---

Abuse Report filed 2013/07/30 12:55pm at http://www.dotster.com/legal/report_spam_and_abuse.bml

---

Dotster
Legal Department
10 Corporate Dr.
Suite 300
Burlington, MA 01803

Phone: (602) 716-5396 (M-F 7am - 3:30pm MST)
Fax: (781) 998-8277
E-mail: legal@dotster-inc.com

---

xanatos

Bean - since I don't want to risk the Trojan - is the website still displaying the content you used to have on it? If not, have you seen what the content is?

Bean

I think we have it corrected.
The website is the registar's page, and the Trojan warning is from one of the ads that are on the page (basically a false warning).

The registar has renewed the name, and we are waiting for the records to get updated. Only mail working so far, but it looks like it's not as big a deal as I originally thought.

Bean

xanatos

Very glad to hear that. Let me know if anything needs further looking into. I started a process with Dotster, I'll let them know it's handled.

Dave