Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Secunia's DNS/domain hijacked?

Published: 2010-11-25
Last Updated: 2010-11-25 08:57:08 UTC
by Bojan Zdrnja (Version: 1)
4 comment(s)

We received quite a bit of reports of people saying that Secunia’s web site has been defaced. And indeed, when I visit Secunia’s web site from my machine (located in Europe), I see a defaced web site as below:

Secunia's defacement

However, after double checking it appears that their DNS records have been modified. The “defaced” web site is located (for me) at the following IP address:

$ host is an alias for has address mail is handled by 0

Checking my passive DNS system, I can see that previously was at

And, as suspected, after checking manually we can see that the original Secunia’s web site is still there:

$ telnet 80
Connected to (
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 25 Nov 2010 08:46:29 GMT
Server: Apache
        <meta name="Title" content="">
                <link rel="stylesheet" type="text/css" href="/css/secunia.css">

Checking WHOIS entries will show more, but this "defacement" again shows how DNS is a critical resource.


Keywords: dns hijack secunia
4 comment(s)
Diary Archives