Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Several Sites Defaced SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Several Sites Defaced

There have been several widespread defacements reported to us today.  It appears their DNS name server entries all point to the same thing as seen below:

ups.com.  85621 IN NS ns1.yumurtakabugu.com.
ups.com.  85621 IN NS ns2.yumurtakabugu.com.
ups.com.  85621 IN NS ns4.yumurtakabugu.com.
ups.com.  85621 IN NS ns3.yumurtakabugu.com.
 

Here are a few examples of the sites so far:

ups.com
theregister.co.uk
acer.com
telegraph.co.uk
betfair.com

The one commonality is they all appear to be all registered via ascio.com

More details as we learn more.

 

 

 Lorna

165 Posts
ISC Handler
Sep 4th 2011
Thread locked Subscribe Sep 4th 2011
9 years ago
As of 5:25 pm CDT, CenturyLink/Qwest DNS servers 205.171.3.65 and 205.171.2.65 appear to be poisoned for ups.com, theregister.co.uk, acer.com = 68.68.20.BAD.
My machines using OpenDNS are seeing the proper addresses.
 Paul

44 Posts
Quote Sep 4th 2011
9 years ago
At 1536 Pacific, Time Warner was also showing the 68.68.20.BAD for UPS and National Geographic
 Ryan

4 Posts
Quote Sep 4th 2011
9 years ago
Perhaps this will provide a little DNSSEC motivation.
 Dshield

10 Posts
Quote Sep 5th 2011
9 years ago
how would DNSSEC help? If your Registrar is hacked, what does DNSSEC have to do with it? That's all about validating records - but if the bad guys actually own the "true" records, they can do what they want can't they?
 Jason

4 Posts
Quote Sep 5th 2011
9 years ago
Ok, sems to be a little confusion here.

I don't think the OP was suggesting the registry was hacked, as otherwise nobody would have 'good' records.

Consequently, DNSSEC would help this problem, as that's it's primary function.
 DomMcIntyreDeVitto

45 Posts
Quote Sep 5th 2011
9 years ago
Any chance they messed with:
Classicplatforms dot com?

I cannot get to them,
That's not normal.
 DomMcIntyreDeVitto
20 Posts
Quote Sep 5th 2011
9 years ago
Please Never Mind the previous Comment;
I got to Classicplatforms
 DomMcIntyreDeVitto
20 Posts
Quote Sep 5th 2011
9 years ago
The Register now writes that NatNames was actually hacked, http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/

"It appears that the turk­ish attack­ers man­aged to hack into the DNS panel of Net­Names using a SQL injec­tion and mod­ify the con­fig­u­ra­tion of arbi­trary sites, to use their own DNS (ns1​.yumur​tak​abugu​.com and ns2​.yumur​tak​abugu​.com) and redi­rect those web­sites to a defaced page."
 Alex2k

3 Posts
Quote Sep 5th 2011
9 years ago

Sign Up for Free or Log In to start participating in the conversation!