The Register Hacked (DNS Hijacked)


I can’t believe it.

I would never have thought that one of my favourite tech news sites could ever be hacked. Yet a few minutes ago I captured the following screenshot when browsing.

Come on guys, what is going on?

The Register Hacked

The Register Hacked

*Updated – 10:00pm 4th September 2011

After further investigation, it seems that The Register’s website was not hacked as such, but rather the DNS for that domain has been hijacked.

The bad A record IP appears to be 68.68.20.116 instead of 212.100.234.54 which is a rackspace server where the register is hosted.

If you go to all-nettools.com and do a nameserver lookup you’ll see the register has the following nameservers now:

theregister.co.uk. 86129 IN NS ns4.yumurtakabugu.com.
theregister.co.uk. 86129 IN NS ns2.yumurtakabugu.com.
theregister.co.uk. 86129 IN NS ns1.yumurtakabugu.com.
theregister.co.uk. 86129 IN NS ns3.yumurtakabugu.com.

Which isn’t right.

It should probably look something like:

theregister.co.uk nameserver = ns1.theregister.co.uk
theregister.co.uk nameserver = ns2.theregister.co.uk
theregister.co.uk nameserver = ns3.theregister.co.uk
theregister.co.uk nameserver = ns4.theregister.co.uk
theregister.co.uk nameserver = ns5.theregister.co.uk
theregister.co.uk nameserver = ns6.theregister.co.uk

*Updated – 11:00pm 4th September 2011

It appears that ups.com has also been hacked.

ups.com Hacked

ups.com Hacked

*update again… Sites that have also been defaced include

betfair.com
acer.com
vodafone.com
telegraph.co.uk

http://www.zone-h.org/archive/notifier=TurkguvenLigi.info

betfair.com defaced

betfair.com defaced

vodafone.com defaced

vodafone.com defaced

telegraph.co.uk defaced

telegraph.co.uk defaced

*Updated – 7:15am 5th September 2011

The Guardian have interviewed the Turkish hackers that instigated the attack on the various high-profile websites. http://www.guardian.co.uk/technology/2011/sep/05/dns-hackers-telegraph-interview

*Updated – 8:10am 5th September 2011

The Register have now posted an article explaining a little about what happened.

http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/

About these ads

28 comments

  1. Looks like a jackass randomly targeting any old Web sites he can manage to compromise, for no other purpose than to get notoriety for himself. He took a kitchen-sink approach and these are the ones that went down the drain. There’s no obvious ethical or political agenda at work in breaching those wildly different sites.

  2. I doubt the website it self was hacked, looks like some trickery with the DNS servers meaning you are actually being sent to a completely different website. Worst part is if they wanted to, they could just make their “fake” site look like the real thing, and steal user passwords and such without people ever knowing.

  3. Appears to be a registration attack. According to Netcraft the site moved to BlueMile today, September 4, 2011. Other sites hosted there are mostly porn.

    Netblock Owner IP address OS Web Server Last changed
    Bluemile, Inc 226 N. 5th St Suite 300 Columbus OH US 43215 68.68.20.116 Linux Apache/2.2.17 Unix mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 4-Sep-2011

    http://toolbar.netcraft.com/site_report?url=http://theregister.co.uk

  4. All these sites work fine for me, from Ireland.

    Is it more likely your ISP has had their recursive nameservers hacked? Or maybe a root server close to you?

    dig trace NS theregister.com is giving the correct results from Irish and UK servers.

  5. theregister.co.uk. 600 IN A 72.3.246.59
    theregister.co.uk. 600 IN NS ns1.theregister.co.uk.

    It loos fine from here. Perhaps the DNS problem is on your end?

      1. Right. Perhaps the others are using the same cache-poisoned or compromised nameserver as you. But I assure you, theregister.co.uk is resolving fine and the website is up.

  6. My own recursing named nameserver resolves fine.
    dig theregister.co.uk. any @8.8.8.8 # this works fine too. But:
    dig theregister.co.uk. any @4.2.2.2 # ouch!

    theregister.co.uk. 37457 IN NS ns2.yumurtakabugu.com.
    theregister.co.uk. 37457 IN NS ns1.yumurtakabugu.com.
    theregister.co.uk. 1631 IN A 68.68.20.116

    4.2.2.2 is not actually a public nameserver, but it has been left open for a long time. Are you using it? If so, stop.

  7. Domain name attacks like this can be done via social engineering, such as password recovery or actually tricking somebody at the DNS registrar to disclosing info. This has been around forever, albeit not a full system compromise but ugly as it takes a long time to clear up.

  8. http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/

    So this was real, and as others have said, it was a compromise at the registrar, not at The Register. The probable reason why I did not see it: the co.uk parent domain changes had been reversed before I checked.

    This incident is a good example of why I recommend NOT using one’s ISP nameservers. The benefit of cache hits being slightly faster is offset by the TTL being, on average, half of what you would get by doing your own recursion to the authoritative NS. And then you get to share in the cache poisoning with all the other users.

    Yes, my recursive resolver could get a poisoned cache as well, but the window of opportunity for mischief is much smaller. And I can flush the cache if I suspect something is amiss.

Comments are closed.