ISC Diary

Refresh Latest Diaries

Handler on Duty:
Kevin Shortt
Contact Us

Several Sites Defaced

Published: 2011-09-04,
Last Updated: 2011-09-05 08:40:22 UTC
by Lorna Hutcheson (Version: 4)

3rd Update: Update with more details of the incident from The Register itself: http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/ (thanks Alex)

2nd Update: The root problem appears to be mitigated now. However, many DNS servers now have bad results cached. Please flush the cache of your recursive DNS servers.

Host names and IP addresses to watch:

ns1.yumurtakabugu.com. or 68.68.21.195
ns2.yumurtakabugu.com. or 68.68.21.196
ns3.yumurtakabugu.com. or 68.68.21.197
ns4.yumurtakabugu.com. or 68.68.21.198

IP Address used as A record for affected domains: 68.68.20.116

In particular IP addresses may change at any time. Please keep watching them and remove from blacklist as appropriate.

---

There have been several widespread defacements reported to us today. It appears their DNS name server entries all point to the same thing as seen below:

ups.com.  85621 IN NS ns1.yumurtakabugu.com.
ups.com.  85621 IN NS ns2.yumurtakabugu.com.
ups.com.  85621 IN NS ns4.yumurtakabugu.com.
ups.com.  85621 IN NS ns3.yumurtakabugu.com.

Here are a few examples of the sites so far:

ups.com
theregister.co.uk
acer.com
telegraph.co.uk
betfair.com
vodafone.com
nationalgeographic.com

The one commonality is they all appear to be all registered via ascio.com

More details as we learn more.

UPDATE: This IP is hosted by BlueMile. We have contacted them and they are aware of the situation and working on it.

Keywords: defacement dns name servers

Comments

As of 5:25 pm CDT, CenturyLink/Qwest DNS servers 205.171.3.65 and 205.171.2.65 appear to be poisoned for ups.com, theregister.co.uk, acer.com = 68.68.20.BAD.
My machines using OpenDNS are seeing the proper addresses.

posted by Paul, Sun Sep 04 2011, 22:26

At 1536 Pacific, Time Warner was also showing the 68.68.20.BAD for UPS and National Geographic

posted by Ryan, Sun Sep 04 2011, 22:38

Perhaps this will provide a little DNSSEC motivation.

posted by Dshield, Mon Sep 05 2011, 01:28

how would DNSSEC help? If your Registrar is hacked, what does DNSSEC have to do with it? That's all about validating records - but if the bad guys actually own the "true" records, they can do what they want can't they?

posted by Jason, Mon Sep 05 2011, 02:30

Ok, sems to be a little confusion here.

I don't think the OP was suggesting the registry was hacked, as otherwise nobody would have 'good' records.

Consequently, DNSSEC would help this problem, as that's it's primary function.

posted by Dom De Vitto, Mon Sep 05 2011, 06:32

Any chance they messed with:
Classicplatforms dot com?

I cannot get to them,
That's not normal.

posted by Ol'Bud, Mon Sep 05 2011, 06:45

Please Never Mind the previous Comment;
I got to Classicplatforms

posted by Ol'Bud, Mon Sep 05 2011, 08:27

The Register now writes that NatNames was actually hacked, http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/

"It appears that the turkish attackers managed to hack into the DNS panel of NetNames using a SQL injection and modify the configuration of arbitrary sites, to use their own DNS (ns1.yumurtakabugu.com and ns2.yumurtakabugu.com) and redirect those websites to a defaced page."

posted by Alex, Mon Sep 05 2011, 08:31

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives