September 5, 2011
Turkish hacking group defaces UPS, TheRegister and others
A number of high profile websites was compromised yesterday by a DNS hack. Among the list are The Register one of the largest british news sites, Telegraph and Ups.com where access to them was redirected to third-party webpages.
Paul Mutton, a web security tester managed to get a screenshot of what visitors to The Register saw:
Part of the message reads:
The phrase "Gel Babana" is Turkish for "Come to Papa", and "Guvenligi" is Turkish for "Security".
Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
It's important to note that the websites themselves have *not* been hacked, although to web visitors there is little difference in what they experience - a webpage under the control of hackers.
Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
The affected sites' name servers, which govern the Internet address that corresponds to a site's name, have been changed to ns1.yumurtakabugu.com and ns2.yumurtakabugu.com.
The Register tweeted "A DNS hijack, we think [...]. We have shut down access / services as a precaution."
Because of the way DNS works, these changes are currently propagating throughout the global DNS system, and those attempting to access the original sites may find disruption for between three and 24 hours. Different ISPs will vary in if and when they accept the fakes and the consequent valid updates.
Those who are registered with the sites and normally expect to be automatically logged in should clear browser cookies before attempting to access them, as there is a risk that authentication information sent from the browser may be intercepted. Email to the sites may also be disrupted or intercepted.
UPDATE: Three hours after the attack, both The Daily Telegraph and the Register have had their proper name server entries restored, but as i said earlier it will take some time for the proper information to replate the diversions across the global DNS.
We will publish more information as it becomes available. If you prefer, follow me at @prohackingtricks on Twitter for the latest news.
Paul Mutton, a web security tester managed to get a screenshot of what visitors to The Register saw:
TurkGuvengligi
"Gel Babana"
HACKED
"h4ck1n9 is not a cr1m3"
"4 Sept. We TurkGuvenligi declare this day as World Hackes Day - Have fun ;) h4ck y0u"
The phrase "Gel Babana" is Turkish for "Come to Papa", and "Guvenligi" is Turkish for "Security".
Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
It's important to note that the websites themselves have *not* been hacked, although to web visitors there is little difference in what they experience - a webpage under the control of hackers.
Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
The affected sites' name servers, which govern the Internet address that corresponds to a site's name, have been changed to ns1.yumurtakabugu.com and ns2.yumurtakabugu.com.
The Register tweeted "A DNS hijack, we think [...]. We have shut down access / services as a precaution."
Because of the way DNS works, these changes are currently propagating throughout the global DNS system, and those attempting to access the original sites may find disruption for between three and 24 hours. Different ISPs will vary in if and when they accept the fakes and the consequent valid updates.
Those who are registered with the sites and normally expect to be automatically logged in should clear browser cookies before attempting to access them, as there is a risk that authentication information sent from the browser may be intercepted. Email to the sites may also be disrupted or intercepted.
UPDATE: Three hours after the attack, both The Daily Telegraph and the Register have had their proper name server entries restored, but as i said earlier it will take some time for the proper information to replate the diversions across the global DNS.
We will publish more information as it becomes available. If you prefer, follow me at @prohackingtricks on Twitter for the latest news.
About the Author:
Ifeanyi Emeka is the founder of this blog and also writes for Tech Forked. He is passionate about tech stuffs and loves customizing blogger themes.
Subscribe to:
Post Comments (Atom)