Several Sites Defaced

Published: 2011-09-04
Last Updated: 2011-09-05 08:40:22 UTC
by Lorna Hutcheson (Version: 4)
8 comment(s)

3rd Update: Update with more details of the incident from The Register itself: (thanks Alex)

2nd Update: The root problem appears to be mitigated now. However, many DNS servers now have bad results cached. Please flush the cache of your recursive DNS servers.

Host names and IP addresses to watch: or or or or

IP Address used as A record for affected domains:

In particular IP addresses may change at any time. Please keep watching them and remove from blocklist as appropriate.


There have been several widespread defacements reported to us today.  It appears their DNS name server entries all point to the same thing as seen below:  85621 IN NS  85621 IN NS  85621 IN NS  85621 IN NS

Here are a few examples of the sites so far:

The one commonality is they all appear to be all registered via

More details as we learn more.


UPDATE:  This IP is hosted by BlueMile.  We have contacted them and they are aware of the situation and working on it.

8 comment(s)


As of 5:25 pm CDT, CenturyLink/Qwest DNS servers and appear to be poisoned for,, = 68.68.20.BAD.
My machines using OpenDNS are seeing the proper addresses.
At 1536 Pacific, Time Warner was also showing the 68.68.20.BAD for UPS and National Geographic
Perhaps this will provide a little DNSSEC motivation.
how would DNSSEC help? If your Registrar is hacked, what does DNSSEC have to do with it? That's all about validating records - but if the bad guys actually own the "true" records, they can do what they want can't they?
Ok, sems to be a little confusion here.

I don't think the OP was suggesting the registry was hacked, as otherwise nobody would have 'good' records.

Consequently, DNSSEC would help this problem, as that's it's primary function.
Any chance they messed with:
Classicplatforms dot com?

I cannot get to them,
That's not normal.
Please Never Mind the previous Comment;
I got to Classicplatforms
The Register now writes that NatNames was actually hacked,

"It appears that the turk­ish attack­ers man­aged to hack into the DNS panel of Net­Names using a SQL injec­tion and mod­ify the con­fig­u­ra­tion of arbi­trary sites, to use their own DNS (ns1​.yumur​tak​abugu​.com and ns2​.yumur​tak​abugu​.com) and redi­rect those web­sites to a defaced page."

Diary Archives