Thanks Adelheid. I will do as you suggest.
I am curious about the hack’s m.o. It seems to me that the canonical name servers for my site must have been compromised, replacing the proper domain->ip mapping with another one.
Does anyone know what such attacks are called?
Thanks.
-paul
Let us know if you find out any more about how this happened and how it can be fixed (and prevented). I’m worried about my own sits. I have them all locked, as I can see from a whois that you did for yours, so there’s more to it than just that.
This looks less like an attack than domain squatting on an expired domain. Where did you purchase your domain? Did you do that directly, or did your ISP do it for you?
Edonnelly is right, it is works for Windows. It is OK for me now, thanks. 
Will: I am pretty sure this is a so-called “DNS hijack.” My domain registration is up-to-date.
All: My ISP is looking at the problem; they seemed quite concerned about it. Also, if you are behind a caching proxy server, then the HOSTS file workaround won’t work. I am unable to reach greekgeek.org (the real one) from work for this very reason. When IE (and Mozilla, it seems) knows it’s talking to proxy server, it simply ignores HOSTS file, instead deferring to proxy server’s cache. I lack authority at work to mung with proxy server, though I am nonetheless tempted…
Cordially,
Paul
I sure hope this thing gets sorted out because I have no idea what you are talking about with host file etc.
Very bizarre. The whois record seems correct.
That’s the strangest and least racy use of a domain hijacking I have ever seen
Bert, if you are on a pc, try to find the following file:
C:/windows/system32/drivers/etc/hosts
In this file, which you can open with notepad, you can add the line
72.29.74.163 www.greekgeek.org
(without the underlining)
After saving the file, you would be able to get to Pauls site again.
I tried to find it using the Search dialog box but no success.
On my pc at work (XP) the path is C:\WINDOWS\system32\drivers\etc
Can you browse there via ‘My Computer’?
Hi Bert,
Perhaps your “My Computer” (aka “Windows Explorer”) is set to hide system files. Launch “My Computer” and do this:
Tools → Folder Options
Click on the View tab
Under the entry “Hidden Files and Folders” click on the radio button (a circle) for “Show hidden files and folders.”
Then try search again…or you could simply use “My Computer” to navigate your way to the desired folder.
Cordially,
Paul
Paul and all:
The GTSS site appears to be working this morning.
Thanks for your help, Adelheid.
Back to work now
Maria B
Pharr-d[/quote]
Really? I just checked, but no change as yet.
Now even my hosts file entry doesn’t work anymore…
Here’s an interesting post about a DNS-changing Trojan. What they’re describing is a little different, since it sounds more like ISP name servers getting hijacked, but the image of the redirected/hijacked site is strangely similar to what got Paul’s site.
http://blog.trendmicro.com/rogue-domain-name-system-servers-5breposted5d/
(By the way, I’m still getting the “true” gtss when my host file has fix, and the hijacked one if I delete the fix).
That’s it. Back slash instead of forward slash.
But like you, it didn’t have an effect.
I wanted it to work if for no other reason than to make the effort of this vandal useless.
Why is edonnelly’s still work I wonder?
That’s what I would like to know: after testing it yesterday (removing the hosts file entry and putting it back) there was no way I could get to Pauls site again.
Hi Everyone,
At my ISP’s instruction, I updated the authoritative nameservers for greekgeek.org. This update should be effective within 24 hours (I think I did it around mid-day yesteday) Worldwide nameserver percolation should take not more than 48.
I am finding that I can now get to my website from several computers without any fix to HOSTS file.
I suspect that by Saturday afternoon, all will be cool. But please let me know if not.
I’m still not quite sure what really happened, nor do I know if my ISP has taken steps to prevent its re-occurence. But I will read article Ed posted.
Cordially,
Paul
All’s good now.