DNS hijack hits The Register: All well
Update On early Sunday evening, UK time, The DNS records of many websites, including those of The Register and The Telegraph, were hijacked and redirected to a third party webpage controlled by Turkish hackers.
The Register's website was not breached. And as far as we can tell there was no attempt to penetrate our systems. But we shut down access / services - in other words, anything that requires a password - as a precaution. These are now restored.
Our DNS records were restored to normal after three hours or so. If you still see a defaced page, turning your equipment on and off again may help: there are DNS caches in your browser, OS, routers and at your ISP. Any of these could contain dodgy info.
While we were figuring what was going on, we tried to keep readers informed via our official Twitter account at http://twitter.com/#!/regvulture.
If you're interested, Sophos has a screen grab and explanation of how a DNS hijack works here.
Our provider NetNames has yet to tell us what happened. So we will refer you to zone-h's report.
It appears that the turkish attackers managed to hack into the DNS panel of NetNames using a SQL injection and modify the configuration of arbitrary sites, to use their own DNS (ns1.yumurtakabugu.com and ns2.yumurtakabugu.com) and redirect those websites to a defaced page.
The Guardian's Charles Arthur has an interview with the hackers here.
So we were one of a very small number of domains that were redirected, according to an "initial statement" from NetNames, reproduced in full below. To say we are not pleased is an understatement.
At approximately 2100BST on Sunday 4 September 2011 a very small number of customer domains were redirected to an unauthorised domain name server (DNS server). This was done by placing unauthorised re-delegation orders through to the registries via our provisioning system. These orders updated the address of the master DNS servers responsible for serving data for these domains. The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded TurkGuvenligi. The unauthorised orders were added by using a SQL injection attack to gain access to a number of our customer accounts.
The illegal changes were reversed quickly to bring service back to the customers impacted and the accounts concerned have been disabled to block any further access to the systems. NetNames considers the security of its systems and the data within to be of paramount importance. While no-one can completely defend against such sustained and concentrated malicious attacks we will continue to review our systems to ensure that we provide our customers a solid, robust and above all secure service.
If you or your friends work at an ISP, do us a favour and update your DNS records. Thanks. ®