Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Secunia's DNS/domain hijacked?

Published: 2010-11-25
Last Updated: 2010-11-25 08:57:08 UTC
by Bojan Zdrnja (Version: 1)
4 comment(s)

We received quite a bit of reports of people saying that Secunia’s web site has been defaced. And indeed, when I visit Secunia’s web site from my machine (located in Europe), I see a defaced web site as below:

Secunia's defacement

However, after double checking it appears that their DNS records have been modified. The “defaced” web site is located (for me) at the following IP address:

$ host www.secunia.com
www.secunia.com is an alias for secunia.com.
secunia.com has address 81.95.49.32
secunia.com mail is handled by 0 secunia.com.

Checking my passive DNS system, I can see that previously www.secunia.com was at 213.150.41.226.

And, as suspected, after checking manually we can see that the original Secunia’s web site is still there:

$ telnet 213.150.41.226 80
Trying 213.150.41.226...
Connected to secunia.com (213.150.41.226).
Escape character is '^]'.
GET / HTTP/1.0
Host: secunia.com

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 08:46:29 GMT
Server: Apache
...
        <meta name="Title" content="Secunia.com">
                <link rel="stylesheet" type="text/css" href="/css/secunia.css">

Checking WHOIS entries will show more, but this "defacement" again shows how DNS is a critical resource.

--
Bojan
INFIGO IS

Keywords: dns hijack secunia
4 comment(s)
Diary Archives