One of my income-earning domains is being redirected to advertising sites when anyone in either India or Thailand tries to browse to my URL

Does not make much sense. Have you tried proxies that sit on different ISPs in India and Thailand?

Here's why it doesn't make sense. Normally, if only some of your users are affected, it would most likely be a case of DNS Cache Poisoning, uploading a zone file to a DNS server that has no transfer security, or some other exploitation of some DNS weakness.

But for these to affect only users in two specific countries could only likely happen two ways:

(1) attacking the DNS servers of EVERY ISP in the two countries (which seems highly unlikely - because not all would be likely vulnerable).

(2) By attacking YOUR DNS server or web server, but somehow being selective about which users are redirected. Perhaps there was a hope that the attack would not be detected, since only users in remote countries are affected.

You need to to an immediate, complete security audit of your site to eliminate the possibility of (2), which would seem the most likely scenario.

I would first check to see if you even still own your domain. Check WHOIS, then log-in to your registrar and make sure the domain is there. Change some small detail in WHOIS, and make sure that it propagates to the WHOIS server.

Change ALL passwords. Do not ever use passwords that are words - they must be random characters.

Do a search to find online traceroute tools that are located in India and Thailand. Run traceroutes from these sites to yours. This will help determine if it is some kind of DNS-related attack upon ISPs in the two countries. I don't think this is very likely, though.

The exception is if the country has a "great wall". e.g. a firewall through which all external traffic must pass. Hmmm... Thailand sounds likely, but India? Perhaps the great wall isn't so great at security.

Hi jtara.

Fact is, it is happening, of that there is no doubt. I've been in IT for 20 years and specialize in PC and online security (from the end-user perspective), so I have the ability to check out the obvious. However, I confess a degree of ignorance as to the technical workings of the Internet and its management hierarchy.

As for my Host and Registrar, I've had good support from both in ascertaining that there are no problems in their respective areas of responsibility.

I'm aware that some countries (China is frequently in the news in this regard) can control everything into and out of their jurisdictions, but I have no knowledge of just which countries do this nor how they do it.

The unauthorized redirection of a legitimate domain by any service, authority or body must surely be considered a serious matter with implications for domain owners everywhere. In fact I suspect that if many Webmasters took the trouble to see how their domains are viewed in a range of foreign countries, there might be quite a few unpleasant surprises.

In the absence of any better advice I have sent e-mail to the general contact addresses of ICANN and IANA requesting advice on which authorities, if any, might be responsible for investigating such abuse.

With all due respect, I think you are putting the cart before the horse. I think you need to do more investigation, and determine the precise nature of the hijacking and the location from which the hijack is being performed. Without that information, you have no idea who might have jurisdiction, and you run the risk of frivolous complaints, which are unlikely to garner you further favor with the authorities.

In an ideal world, the appropriate authorities would do all the needed investigation. But this is not an ideal world - most especially the third world. I think it's unrealistic for you to expect third-world government authorities to fund the investigative work to figure out why you are losing some income from the hijacking of your URLs in their countries. Further, ICANN, which might have some authority or oversight is generally inaccessible to the public - they don't serve YOU - they serve countries, registies, and registrars. You need to start by complaining lower on the food chain.

And the problem is, at this point, you don't even know who the appropriate authorities are, and it may not even require their involvement.

If you can get access to a Linux shell prompt in India, Thailand, or both, that would help immensely, as you would have a wide variety of tools at your disposal to track this down further.

You'd start by verifying that it really is a DNS hijack, and not some other form hijack. Use nslookup on the remote ISP's DNS server to verify that the IP address being given for your site is not your IP address.

If it is a DNS hijack, you can then do further investigation to determine which server the bogus information is being injected to. It might be the ISP's itself, it might be a centralized DNS server that the government requires all ISPs to use, etc.

Once you know whose DNS server was poisoned, You'd also do some tests to see if that DNS server is vulnerable to hijacking. I'd start by complaining to whoever maintains that server. They may be happy that you've reported the problem, and you won't have to go any further.

In what country is the site that the traffic is being redirected to? It would be an obvious starting point to complain in that country, but I'd first arm myself with some solid technical information, which it doesn't seem that you have at this point.