Perl.com Domain Stolen, Now Using IP Address Tied To Malware

The domain name perl.comwas stolen this week and is now points to an IP address associated with malware campaigns.

Perl.com is a site owned by The Perl Foundation and has been used since 1997 to post news and articles about the Perl programming language.

On January 27th, the Perl NOC site posted that the perl.com domain was hijacked and is now pointing users to a different IP address.

“The perl.com domain was hijacked this morning, and is currently pointing to a parking site.  Work is ongoing to attempt to recover it,” the Perl.org post reads.

The perl.com site was originally hosted at the IP address 151.101.2.132, but since being hijacked, it is now hosted at the Google Cloud IP address 35.186.238[.]101.

When visiting the site, users are greeted with a blank page. The HTML for the page contains Godaddy parked domain scripts even though the domain is registered with the registrar key-systems(.)net.

brian d foy, a Perl programming language author, tweeted that they have temporarily setup perl.com at http://perldotcom.perl.org for users who wish to access the site until the domain is recovered.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

Until the domain hijacking is resolved, The Perl Foundation is recommending that users do not use perl.com as a CPAN mirror and to update it using the following command:

# perl -MCPAN -eshell
cpan shell -- CPAN exploration and modules installation (v2.20)
Enter 'h' for help.

cpan[1]> o conf urllist http://www.cpan.org/
Please use 'o conf commit' to make the config permanent!
cpan[2]> o conf commit
commit: wrote '/root/.cpan/CPAN/MyConfig.pm'

At this time, it is not known how the domain was stolen. BleepingComputer has sent an email to The Perl Foundation with questions about this but has not received an answer.

New perl.com IP address tied to malware

The IP address that perl.com is now hosted has a long history of being used in older malware campaigns and more recent ones.

In 2019, the IP address 35.186.238[.]101 was tied to a domain distributing a malware executable [VirusTotal] for the now-defunct Locky ransomware.

More recently, a malware [VirusTotal] that appears to be an ad clicker is using the following domains as command and control (C2) servers.

www.supernetforme[.]com
www.superwebbysearch[.]com

These domain names both resolve to 35.186.238[.]101, as shown below.

When the malware attempts to connect to the URLs at these domains, they are now receicing the same parked domain scripts currently being used when visiting perl.com.

These HTML responses, rather than instructions from a C2, may indicate that the IP address is under the control of a different threat actor.

Also Read: Limiting Location Data Exposure: 8 Best Practices

For now, it is strongly advised not to visit perl.com until the domain is back in the hands of The Perl Foundation, as attackers could very easily switch it to a site for more malicious purposes.