Domain theft: What to do if you were taken away during this massive attack

We are partners of the center, and the domain of one of our customers has been "taken away".
Here was the first "lightning" about this attack habrahabr.ru/blogs/infosecurity/95705

Cant of the center - when I changed the DNS, I did not receive any notifications.
What the center did good - temporarily blocked the change of partner.

Hackers changed the access password and the ns server.

BUT! He did not stop there. ATTENTION! Evil is cunning and nasty.
As an ns-server, the hacker registered ns.imyasamogodomena.ru and the same ns2, after a space he registered the ip of a transparent proxy server 62.122.75.80

i.e. on the face the first level of disguise.
The next front of the mimicry - the server at the specified address transparently took content from the old IP address (I don’t know how).
I don’t know how long this would continue, but the hacker server began to fail and ceased to withstand the load.

The site’s brakes and Outlook’s refusal to work with mail raised panic, first on the client side, and then in our office.

What bewilderment and sensation of mysticism, you would know) A quick google IP address led to an article in RuNet about mass domain hacking (thanks,% username%!).

Then they acted quickly (after diagnosis).

So, the action plan, if you are a registrar partner (nic.ru):

From the partner account, change the domain administrator’s contact mail to the current one and initiate password recovery, then change it.

Here it is necessary to act as quickly as possible, since from the moment of changing the mail the hacker will receive a notification about this. They took away thousands of domains, they are unlikely to have time to quickly respond.
Already THEN changed the dns server. It is important to maintain consistency, and act quickly.

If you are the owner of the domain, and there is no partner, feel free to roll up the official letter to the registrar, and if possible, come with a passport.
More details here www.nic.ru/dns/service/faq.html#common (if you are under the center).

The employees of the center themselves recommend to prohibit changing the password from under the account (this is done by a tick in the admin panel).

To all hosting owners, and who have a bunch of clients at the air force, ping their domains according to the list, who distinguished themselves as an IP address under a microscope.

To the note of the homely hostess. ATTENTION! It is not known what information hackers managed to record when a site passed through a proxy, so you need to change ALL access passwords for content on the site, mail, ftp, database.

PS I don’t know what to do with other registrars, mtw.ru and without any passwords and authorizations will change the ns servers directly by phone, reg.ru does not have its own partner base in a digestible form, by the way, with the position of the Rucenter in the case of torrents.ru I agree.

pps for the sake of good - post, as with other registrars this happens - fighting off attacks, and share successful stories.

I’ll end the post on the positive, I managed to take the domain from Evil, which is what I wish for you!