There have been several widespread defacements reported to us today. It appears their DNS name server entries all point to the same thing as seen below: ups.com. 85621 IN NS ns1.yumurtakabugu.com. Here are a few examples of the sites so far: ups.com The one commonality is they all appear to be all registered via ascio.com More details as we learn more.
|
Lorna 165 Posts ISC Handler Sep 4th 2011 |
Thread locked Subscribe |
Sep 4th 2011 9 years ago |
As of 5:25 pm CDT, CenturyLink/Qwest DNS servers 205.171.3.65 and 205.171.2.65 appear to be poisoned for ups.com, theregister.co.uk, acer.com = 68.68.20.BAD.
My machines using OpenDNS are seeing the proper addresses. |
Paul 44 Posts |
Quote |
Sep 4th 2011 9 years ago |
At 1536 Pacific, Time Warner was also showing the 68.68.20.BAD for UPS and National Geographic
|
Ryan 4 Posts |
Quote |
Sep 4th 2011 9 years ago |
Perhaps this will provide a little DNSSEC motivation.
|
Dshield 10 Posts |
Quote |
Sep 5th 2011 9 years ago |
how would DNSSEC help? If your Registrar is hacked, what does DNSSEC have to do with it? That's all about validating records - but if the bad guys actually own the "true" records, they can do what they want can't they?
|
Jason 4 Posts |
Quote |
Sep 5th 2011 9 years ago |
Ok, sems to be a little confusion here.
I don't think the OP was suggesting the registry was hacked, as otherwise nobody would have 'good' records. Consequently, DNSSEC would help this problem, as that's it's primary function. |
DomMcIntyreDeVitto 45 Posts |
Quote |
Sep 5th 2011 9 years ago |
Any chance they messed with:
Classicplatforms dot com? I cannot get to them, That's not normal. |
DomMcIntyreDeVitto 20 Posts |
Quote |
Sep 5th 2011 9 years ago |
Please Never Mind the previous Comment;
I got to Classicplatforms |
DomMcIntyreDeVitto 20 Posts |
Quote |
Sep 5th 2011 9 years ago |
The Register now writes that NatNames was actually hacked, http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/
"It appears that the turkish attackers managed to hack into the DNS panel of NetNames using a SQL injection and modify the configuration of arbitrary sites, to use their own DNS (ns1​.yumur​tak​abugu​.com and ns2​.yumur​tak​abugu​.com) and redirect those websites to a defaced page." |
Alex2k 3 Posts |
Quote |
Sep 5th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!