I described recently how law.tm got hacked and what I did about it.
Since then I’ve been in correspondence with Netnames who argue pretty convincingly that the problem was not on their end. They say their records show no DNS changes for the period in question, and no one else they serve has has had a similar problem.
That means the DNS change happened at my hosting company (or, theoretically, somewhere else via cache poisoning, but that’s really unlikely). Hacking my DNS via my hosting company is certainly possible, even though they don’t manage the registration. That said, it’s sort off an odd thing to think happened because any hack capable of making that change there should have been able to do far far more damage and hit at least the other domains I manage from the same machine. Indeed, depending on the vector it could theoretically have hit all of them: my domains are spread over three machines; changing the DNS would require either root-like access on one of them or access to a control panel that gives some power over all of them. Yet none of those things happened. Maybe I dodged a bullet.
Meanwhile, I’ve changed all the relevant passwords (which were already strong random ones) and am working hard to plug every hole that my host’s automated security scan says it identified. Unfortunately, I have a lot of sites covering a very wide variety of personal and professional projects that have grown up over the years, and the scan resulted in a 12-page single-spaced list of things that might need fixing. It correctly identified some outdated installs of software packages, but the list of so-called hacked files seems overwhelmingly to consist of false positives (I’ve been investigating them with a simple text editor and so far they are mostly simple HTML files created by my cache program and fitted with legitimate headers) — so this is not an easy job.