Feeds

DNS hijack hits The Register: All well

NetNames statement

  • alert
  • submit to reddit

Update On early Sunday evening, UK time, The DNS records of many websites, including those of The Register and The Telegraph, were hijacked and redirected to a third party webpage controlled by Turkish hackers.

The Register's website was not breached. And as far as we can tell there was no attempt to penetrate our systems. But we shut down access / services - in other words, anything that requires a password - as a precaution. These are now restored.

Our DNS records were restored to normal after three hours or so. If you still see a defaced page, turning your equipment on and off again may help: there are DNS caches in your browser, OS, routers and at your ISP. Any of these could contain dodgy info.

While we were figuring what was going on, we tried to keep readers informed via our official Twitter account at http://twitter.com/#!/regvulture.

If you're interested, Sophos has a screen grab and explanation of how a DNS hijack works here.

Our provider NetNames has yet to tell us what happened. So we will refer you to zone-h's report.

It appears that the turk­ish attack­ers man­aged to hack into the DNS panel of Net­Names using a SQL injec­tion and mod­ify the con­fig­u­ra­tion of arbi­trary sites, to use their own DNS (ns1​.yumur​tak​abugu​.com and ns2​.yumur​tak​abugu​.com) and redi­rect those web­sites to a defaced page.

The Guardian's Charles Arthur has an interview with the hackers here.

Update

So we were one of a very small number of domains that were redirected, according to an "initial statement" from NetNames, reproduced in full below. To say we are not pleased is an understatement.

At approximately 2100BST on Sunday 4 September 2011 a very small number of customer domains were redirected to an unauthorised domain name server (DNS server). This was done by placing unauthorised re-delegation orders through to the registries via our provisioning system. These orders updated the address of the master DNS servers responsible for serving data for these domains. The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded TurkGuvenligi. The unauthorised orders were added by using a SQL injection attack to gain access to a number of our customer accounts.

The illegal changes were reversed quickly to bring service back to the customers impacted and the accounts concerned have been disabled to block any further access to the systems. NetNames considers the security of its systems and the data within to be of paramount importance. While no-one can completely defend against such sustained and concentrated malicious attacks we will continue to review our systems to ensure that we provide our customers a solid, robust and above all secure service.

Bootnote

If you or your friends work at an ISP, do us a favour and update your DNS records. Thanks. ®

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.