sinkholed.md

Sinkholed

This story has been moved to my blog here: https://susam.net/blog/sinkholed.html.

NIXI sinkholed your domain for malware in partnership with Shadowserver, presumably?

@gh-bct: NIXI sinkholed your domain for malware in partnership with Shadowserver, presumably?

Thank you for your comment. We can only guess. I was running a really small tech + math blog on my website. Further, it was a static website running on an up-to-date Debian system. I don't see any suspicious logins or processes running on the system. I wonder when and how a malware ended up on this system. And even if it did, why did I not get a notification before sinkholing the domain?

Do you still have access to the email address used for this domain? Do you normally receive emails from your registrar? (just one troubleshooting question among others...)

The Public Prosecutor's Office Verden (Staatsanwaltschaft Verden) is responsible for all criminal investigation regarding "IUK-Kirminalität" (crimes using communication technology) in the german state of lower-saxony (Niedersachsen). You might want to contact them:
https://www.staatsanwaltschaft-verden.niedersachsen.de/startseite/kontakt/ihr-weg-zu-uns-156526.html (in German; english is probably not possible; Translation needed?)

@myk1e Thank you for your comment. Yes, I do have access to the email address used for this domain. Yes, I do normally receive emails from registrar as well as Namecheap on this email. In this case, however, I had not received any notification or authorization request.

The Public Prosecutor's Office Verden (Staatsanwaltschaft Verden) is responsible for all criminal investigation regarding "IUK-Kirminalität" (crimes using communication technology) in the german state of lower-saxony (Niedersachsen).

This is the most relevant information - law enforcement organisations typically redirect seized sites to shadowserver because it's a community sinkhole service for collecting malware/bot traffic.

Never expect to get a reply from NIXI. You will never get. They are a bunch of lazy government employees.

Hello, did you know the domain name susam.cool is available at namecheap?

The Public Prosecutor's Office Verden (Staatsanwaltschaft Verden) is responsible for all criminal investigation regarding "IUK-Kirminalität" (crimes using communication technology) in the german state of lower-saxony (Niedersachsen).

@yaleman: This is the most relevant information - law enforcement organisations typically redirect seized sites to shadowserver because it's a community sinkhole service for collecting malware/bot traffic.

Thank you for posting this comment. The Shadowserver Foundation contacted me yesterday and informed me that my domain was sinkholed by accident. They contacted NIXI to transfer the domain back to me. I have added a section named Updates to this Gist post with more details about this.

Looks like you have a small typo in the first date under Updates. You've put 30-Dec-2019 instead of 30-Nov-2019... Unless you're a time traveler!? :)

@EpicnessTwo Yes, there was a typo indeed. Thanks for reporting. I have fixed it now. By the way, I have now shared the full story here: https://susam.in/blog/sinkholed.html.

I saw, it was a good read :) I'm glad to hear you got your domain back... just a shame how easy it is to loose it.