- Hackers stole a “com” Perl domain that now sits on a malware distribution IP address.
- The domain was stolen a while back, then moved around to different registrars, and finally set to a blank HTML.
- The community has moved the site under Perl’s official “org” domain and awaits a resolution.
‘Perl.com,’ a domain that has been used to post topics relevant to the Perl programming language since 1997, has now fallen into the wrong hands. According to multiple reports, the new IP address that the domain is pointing to is associated with past malware distribution campaigns. This development follows a period of weird things concerning its registration.
The problem apparently started back in September 2020, when someone hijacked the domain, but nobody noticed at the time. Several weeks later, on Christmas Day, the new owner moved the domain from Network Solutions to a Chinese registrar.
Finally, on January 27, 2020, a move to Key-Systems was completed. This move was accompanied by a new IP address, so now everyone noticed. Also, the domain now leads to a blank page, and the new owners are trying to sell it for $190,000 through Afternic.
The rightful owner of Perl.com, Tom Christiansen, normally had until 2029 to renew the domain, so this is clearly a domain theft case. The registrar shouldn’t be able to delete or move the domain without the owner’s consent, but they can change the nameservers, which is what seems to have happened in this case.
Thankfully, and because legitimate companies are involved, getting the domain back to its rightful owner should be possible, although not free of complications. In the meantime, Perl’s official ‘Perl.org’ website is up and safe to use, while the community of Perl.com has moved to ‘perldotcom.perl.org’ temporarily. Until the original domain is recovered, users are advised to use that domain instead.
The current IP address on Perl.com has been associated with numerous malware distribution campaigns, so the people who snatched the domain acted very targeted and purposefully. The domain is not currently sending out any malicious files, but this could change at any time. So, just avoid visiting it - there’s nothing to see there anyway.
As for who these hackers are, The Register claims to have reliable information about a Moldovan based in Chisinau, including names and email addresses.