Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Community Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
NY Times DNS Compromised
Quoting Diary:

The website for the New York Times was taken offline today by way of an attack on their DNS.  Shown below is the summary Dr. J whipped up:

The normal NYTimes.com name servers are

;; AUTHORITY SECTION:
nytimes.com.            172800  IN      NS      dns.ewr1.nytimes.com.
nytimes.com.            172800  IN      NS      dns.sea1.nytimes.com.

but one .com name server still answers with:

;; AUTHORITY SECTION:
nytimes.com.            172800  IN      NS      ns27.boxsecured.com.
nytimes.com.            172800  IN      NS      ns28.boxsecured.com.

;; ADDITIONAL SECTION:
ns27.boxsecured.com.    172800  IN      A       212.1.211.126
ns28.boxsecured.com.    172800  IN      A       212.1.211.141

and returns an IP in that subnet

nytimes.com.
212.1.211.121

Connecting to this server results in:

HTTP/1.1 200 OK
Date: Tue, 27 Aug 2013 20:55:33 GMT
Server: Apache
X-Powered-By: PHP/5.3.26
Content-Length: 14
Content-Type: text/html

Hacked by SEA
Connection closed by foreign host

tony

125 Posts
ISC Handler
It appears that twimg.com may also have been redirected...
Anonymous

2 Posts
# whois nytimes.com

2 entries?

# whois '=nytimes.com'

Server Name: NYTIMES.COM
IP Address: 141.105.64.37
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com

Domain Name: NYTIMES.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: DNS.EWR1.NYTIMES.COM
Name Server: DNS.SEA1.NYTIMES.COM
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited
Updated Date: 27-aug-2013
Creation Date: 18-jan-1994
Expiration Date: 19-jan-2014

Hum...

# whois -h whois.melbourneit.com NYTIMES.COM
(also http://www.melbourneit.com.au/cc/whois/search )

Domain Name.......... nytimes.com
Creation Date........ 1994-01-18
Registration Date.... 2011-08-31
Expiry Date.......... 2014-01-20
Organisation Name.... SEA
Organisation Address. 620 8th Avenue
Organisation Address.
Organisation Address.
Organisation Address. New York
Organisation Address. 10018
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... SEA SEA
Admin Address........ SEA
Admin Address........ 620 8th Avenue
Admin Address........
Admin Address. Syria
Admin Address........ 10018
Admin Address........ SY
Admin Address........ SYRIAN ARAB REPUBLIC
Admin Email.......... sea@sea.sy
Admin Phone.......... +1.2125561234
Admin Fax............

Tech Name............ NEW YORK TIMES DIGITAL
Tech Address......... 229 West 43d Street
Tech Address.........
Tech Address.........
Tech Address......... New York
Tech Address......... 10036
Tech Address......... NY
Tech Address......... UNITED STATES
Tech Email........... hostmaster@NYTIMES.COM
Tech Phone........... +1.2125561234
Tech Fax............. +1.1231231234
Name Server.......... ns27.boxsecured.com
Name Server.......... ns28.boxsecured.com

And yet on netsol.com (might be cached)

Domain Name.......... nytimes.com
Creation Date........ 1994-01-18
Registration Date.... 2011-08-31
Expiry Date.......... 2014-01-20
Organisation Name.... New York Times Digital
Organisation Address. 620 8th Avenue
Organisation Address.
Organisation Address.
Organisation Address. New York
Organisation Address. 10018
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Ellen Herb
Admin Address........ NEW YORK TIMES DIGITAL
Admin Address........ 620 8th Avenue
Admin Address........
Admin Address. NEW YORK
Admin Address........ 10018
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... hostmaster@nytimes.com
Admin Phone.......... +1.2125561234
Admin Fax............

Tech Name............ NEW YORK TIMES DIGITAL
Tech Address......... 229 West 43d Street
Tech Address.........
Tech Address.........
Tech Address......... New York
Tech Address......... 10036
Tech Address......... NY
Tech Address......... UNITED STATES
Tech Email........... hostmaster@NYTIMES.COM
Tech Phone........... +1.2125561234
Tech Fax............. +1.1231231234
Name Server.......... dns.sea1.nytimes.com
Name Server.......... dns.ewr1.nytimes.com

Now who got hacked =D
Anonymous

4 Posts
Strange, but looks like maybe the top-level nytimes.com domain has been registered as someone else's 'nameserver address' and was serving up the glue record to resolvers that accept this. Maybe something at Melbourne IT was not properly checking that a given nameserver address is within the correct domain. Some sort of AJAX handler would be my first guess.
Steven C.

164 Posts

Sign Up for Free or Log In to start participating in the conversation!