{"id":18502,"date":"2021-01-29T19:13:10","date_gmt":"2021-01-29T18:13:10","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=18502"},"modified":"2022-11-04T11:50:07","modified_gmt":"2022-11-04T10:50:07","slug":"domain-perl-com-gestohlen-ip-wird-fr-malware-kampagnen-genutzt","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/01\/29\/domain-perl-com-gestohlen-ip-wird-fr-malware-kampagnen-genutzt\/","title":{"rendered":"Domain Perl[.]com stolen, IP points to a site used for malware campagins"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2021\/01\/29\/domain-perl-com-gestohlen-ip-wird-fr-malware-kampagnen-genutzt\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Warning to users who are interested in the Perl programming language and have previously accessed the Perl[.]com domain. The domain has been stolen and the IP has been redirected to an address associated with malware campaigns. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg04.met.vgwort.de\/na\/61a219353fb34116b632fc1b8bf6d0e9\" width=\"1\" height=\"1\">The domain perl[.]com belongs to the Perl Foundation and has been used to publish news and articles about the Perl programming language since 1997. Now the domain has been hijacked. On reddit there is <a href=\"https:\/\/www.reddit.com\/r\/perl\/comments\/l6d8ws\/perlcom_unfriendly_domain_take_over\/\" target=\"_blank\" rel=\"noopener\">this thread<\/a> where the whole thing is addressed. The domain perl[.]com (without HTTPS) indicates that it is for sale and there would be advertisements. The whois record of January 27, 2021 indicates an unfriendly takeover.&nbsp; <\/p>\n<p><a href=\"https:\/\/i.imgur.com\/AcqbNLi.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"Reddit.com Eintrag zu Perl.com\" alt=\"Reddit.com Eintrag zu Perl.com\" src=\"https:\/\/i.imgur.com\/AcqbNLi.png\" width=\"630\" height=\"363\"><\/a><\/p>\n<p>Here's a screenshot of the sales message in question that someone posted on <a href=\"https:\/\/twitter.com\/mikechamberlain\/status\/1354579781212385282\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>.<\/p>\n<p><a href=\"https:\/\/twitter.com\/mikechamberlain\/status\/1354579781212385282\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" title=\"Perl.com for sale\" alt=\"Perl.com for sale\" src=\"https:\/\/i.imgur.com\/Kff4M4q.png\" width=\"440\" height=\"952\"><\/a><\/p>\n<p>A short time later, the unfriendly takeover of the domain perl[.]com by brian d foy was confirmed on <a href=\"https:\/\/twitter.com\/briandfoy_perl\/status\/1354535622069919748\" target=\"_blank\" rel=\"noopener\">Twitte<\/a>. It seems to have hit more domains according to a follow up tweet. <\/p>\n<p><a href=\"https:\/\/twitter.com\/briandfoy_perl\/status\/1354535622069919748\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/i.imgur.com\/47RG9VU.png\"><\/a><\/p>\n<p>The colleagues at Bleeping Computer also point out the issue in this <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1355189143807127552\" target=\"_blank\" rel=\"noopener\">tweet<\/a> and have summarized the state of affairs in <a href=\"https:\/\/web.archive.org\/web\/20220620004703\/https:\/\/www.bleepingcomputer.com\/news\/security\/perlcom-domain-stolen-now-using-ip-address-tied-to-malware\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>. <\/p>\n<p><a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1355189143807127552\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Perl domain stolen\" alt=\"Perl domain stolen\" src=\"https:\/\/i.imgur.com\/A4TC8Ew.png\"><\/a><\/p>\n<p>The <a href=\"https:\/\/log.perl.org\/2021\/01\/perlcom-hijacked.html\" target=\"_blank\" rel=\"noopener\">log files<\/a> says, that the domain had been hijacked and the recovery process may be ongoing. Here is the excerpt:<\/p>\n<blockquote>\n<h4>Wednesday, January 27, 2021<\/h4>\n<p><a name=\"9060466932145771050\"><\/a> <\/p>\n<h5>perl.com hijacked<\/h5>\n<p>The perl.com domain was hijacked this morning, and is currently pointing to a parking site.&nbsp; Work is ongoing to attempt to recover it.  <\/p>\n<p>We encourage you NOT to visit the domain, as there are some signals that it may be related to sites that have distributed malware in the past.  <\/p>\n<p>&nbsp; Some users may have it selected as their CPAN mirror.&nbsp; To update your mirror in CPAN.pm use o conf urllist http:\/\/www.cpan.org\/  <\/p>\n<blockquote>\n<p># perl -MCPAN -eshell<br \/>cpan shell &#8212; CPAN exploration and modules installation (v2.20)<br \/>Enter 'h' for help.  <\/p>\n<p>cpan[1]&gt; o conf urllist http:\/\/www.cpan.org\/<br \/>Please use 'o conf commit' to make the config permanent!<br \/>cpan[2]&gt; o conf commit<br \/>commit: wrote '\/root\/.cpan\/CPAN\/MyConfig.pm'<\/p>\n<\/blockquote>\n<p>Update 2021-01-28:  <\/p>\n<p>&nbsp; Work is underway to attempt to recover the domain.&nbsp; If you're looking for the content, you can visit <a href=\"https:\/\/perldotcom.perl.org\/\">perldotcom.perl.org<\/a>.<\/p>\n<\/blockquote>\n<p>Bleeping Computer has <a href=\"https:\/\/web.archive.org\/web\/20220620004703\/https:\/\/www.bleepingcomputer.com\/news\/security\/perlcom-domain-stolen-now-using-ip-address-tied-to-malware\/\" target=\"_blank\" rel=\"noopener\">collected the information<\/a>, that the domain has been hijacked and is under the attacker's control. The IP address points to a page that was used for malware campaigns. Anyway, the recovery may take some time. The Perl Foundation has set up a replacement site at <a href=\"https:\/\/perldotcom.perl.org\/\" target=\"_blank\" rel=\"noopener\">perldotcom.perl.org<\/a>, where content can be retrieved.&nbsp; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Warning to users who are interested in the Perl programming language and have previously accessed the Perl[.]com domain. The domain has been stolen and the IP has been redirected to an address associated with malware campaigns.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-18502","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/18502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=18502"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/18502\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=18502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=18502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=18502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}