Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: DNS hijack - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! DNS hijack

DNS for the Malaysian copy of Google ( got appearanty hijacked. Right now, the hostnames and point to a host in Canada ( 

(thx Alex for capturing the screen shot. My system would not allow me to connect to the IP address anymore). The NS records point to servers that do not appear to be "genuine" as well. Before, the NS records pointed to and, which are also authoritative for Now they point to and .

The whois information does not reflect that this is a google domain, but it didn't change recently and the site used to host a copy of Google's homepage according to It is very much possible that Google uses a third party to operate part of its Malaysia site.

Update (via Twitter from @TheBackpackr): " We're the official co managing the domain for @GoogleMsia. We are liaising with MYNIC on the DNS change."

The same group behind this attack also claims to have been successful against other Google country level sites (Burundi and Kenia) recently.


If you haven't yet: start monitoring your DNS data! A quick minimum script to do so in 5 minutes (just cron it... )



ADMIN='your email';

ns=`dig +short NS $TLD  | tail -1`
dig  NS $DOMAIN @$ns  | grep 'IN\tNS' | grep -v '^;' | sort > .$
if [ -f .$DOMAIN.old ]; then
   if ! cmp -s .$DOMAIN.old .$; then
       cat .$ | mail -s "Possible $DOMAIN hijack" $ADMIN
       echo possible $DOMAIN hijack

mv .$ .$DOMAIN.old


(and please change the variable at the top ;-) )

------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter


3245 Posts
ISC Handler
I had to change the line
dig NS $DOMAIN @$ns | grep 'IN\tNS' | grep -v '^;' | sort > .$
dig NS $DOMAIN @$ns | grep -P 'IN\tNS' | grep -v '^;' | sort > .$
before I got any output.

93 Posts Posts
hm. worked for me as above. What OS? (I ran my code on OS X), maybe a different version of grep?

3245 Posts Posts
ISC Handler
On Redhat the '-P' is needed because you used a Perl regular expression.
I had to change

dig NS $DOMAIN @$ns | grep 'IN\tNS' | grep -v '^;' | sort > .$
dig NS $DOMAIN | grep -P 'IN\tNS' | grep -v '^;' | sort > .$

to get it to work on a Debian based distro; DiG 9.8.4-rpz2+rl005.12-P1

6 Posts Posts
Also, some results are going to differ due to the DNS provider (cloudflare for example) or dig itself so it could be worthwhile to cut the expected field so that a comparison of the nameserver hostname itself is only what is being compared.

6 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!