Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Baidu defaced - Domain Registrar Tampering InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Baidu defaced - Domain Registrar Tampering

Published: 2010-01-12
Last Updated: 2010-01-12 16:55:59 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

The Chinese search engine Baidu was briefly defaced earlier today. The replacement page was identical to the defacement in a recent twitter.com hack.

It appears that like in the Twitter case, the attacker did not attack the site itself, but instead changed the sites domain registration. This kind of attack is not new, but still quite successful. To defend against this attack, companies should review domain name registration policies and how credentials are handled. Changes to the registration are typically infrequent. In addition to the domain name registration itself, DNS has been tampered with by stealing credentials to admin interfaces of DNS services and internal DNS administration utilities.

It is also worthwhile to monitor DNS zones for changes by regularly polling ALL authoritative name servers.

[1] http://www.washingtonpost.com/wp-dyn/content/article/2010/01/12/AR2010011200468.html

Update: More details can be found here: http://garwarner.blogspot.com/2010/01/iranian-cyber-army-returns-target.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

0 comment(s)
Diary Archives