Privacy Ninja

Perl.com Domain Stolen, Now Using IP Address Tied To Malware

Perl.com Domain Stolen, Now Using IP Address Tied To Malware

The domain name perl.comwas stolen this week and is now points to an IP address associated with malware campaigns.

Perl.com is a site owned by The Perl Foundation and has been used since 1997 to post news and articles about the Perl programming language.

On January 27th, the Perl NOC site posted that the perl.com domain was hijacked and is now pointing users to a different IP address.

“The perl.com domain was hijacked this morning, and is currently pointing to a parking site.  Work is ongoing to attempt to recover it,” the Perl.org post reads.

The perl.com site was originally hosted at the IP address 151.101.2.132, but since being hijacked, it is now hosted at the Google Cloud IP address 35.186.238[.]101.

When visiting the site, users are greeted with a blank page. The HTML for the page contains Godaddy parked domain scripts even though the domain is registered with the registrar key-systems(.)net.

brian d foy, a Perl programming language author, tweeted that they have temporarily setup perl.com at http://perldotcom.perl.org for users who wish to access the site until the domain is recovered.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

Until the domain hijacking is resolved, The Perl Foundation is recommending that users do not use perl.com as a CPAN mirror and to update it using the following command:

# perl -MCPAN -eshell
cpan shell -- CPAN exploration and modules installation (v2.20)
Enter 'h' for help.

cpan[1]> o conf urllist http://www.cpan.org/
Please use 'o conf commit' to make the config permanent!
cpan[2]> o conf commit
commit: wrote '/root/.cpan/CPAN/MyConfig.pm'

At this time, it is not known how the domain was stolen. BleepingComputer has sent an email to The Perl Foundation with questions about this but has not received an answer.

New perl.com IP address tied to malware

The IP address that perl.com is now hosted has a long history of being used in older malware campaigns and more recent ones.

In 2019, the IP address 35.186.238[.]101 was tied to a domain distributing a malware executable [VirusTotal] for the now-defunct Locky ransomware.

More recently, a malware [VirusTotal] that appears to be an ad clicker is using the following domains as command and control (C2) servers.

www.supernetforme[.]com
www.superwebbysearch[.]com

These domain names both resolve to 35.186.238[.]101, as shown below.

Command and control servers hosted at 35.186.238[.]101
Command and control servers hosted at 35.186.238[.]101

When the malware attempts to connect to the URLs at these domains, they are now receicing the same parked domain scripts currently being used when visiting perl.com.

These HTML responses, rather than instructions from a C2, may indicate that the IP address is under the control of a different threat actor.

Also Read: Limiting Location Data Exposure: 8 Best Practices

For now, it is strongly advised not to visit perl.com until the domain is back in the hands of The Perl Foundation, as attackers could very easily switch it to a site for more malicious purposes.

Privacy Ninja provides GUARANTEED quality and results for the following CORE SERVICES:

DPO-As-A-Service (Outsourced DPO Subscription)
Vulnerability Assessment & Penetration Testing (VAPT)
PDPA Obligations for Organizational Compliance (SkillsFuture Credit Eligible)

OTHER SERVICES:

PDPA Compliance Audit
Dig
ital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy

PDPA Data Protection Software
Smart Contract Audit

LIKE & SUBSCRIBE:
Facebook
LinkedIn
Twitter
YouTube
Podcast

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× How can we help you?