The Register Hacked (DNS Hijacked)

I can’t believe it.

I would never have thought that one of my favourite tech news sites could ever be hacked. Yet a few minutes ago I captured the following screenshot when browsing.

Come on guys, what is going on?

The Register Hacked

The Register Hacked

*Updated – 10:00pm 4th September 2011

After further investigation, it seems that The Register’s website was not hacked as such, but rather the DNS for that domain has been hijacked.

The bad A record IP appears to be instead of which is a rackspace server where the register is hosted.

If you go to and do a nameserver lookup you’ll see the register has the following nameservers now: 86129 IN NS 86129 IN NS 86129 IN NS 86129 IN NS

Which isn’t right.

It should probably look something like: nameserver = nameserver = nameserver = nameserver = nameserver = nameserver =

*Updated – 11:00pm 4th September 2011

It appears that has also been hacked. Hacked Hacked

*update again… Sites that have also been defaced include defaced defaced defaced defaced defaced defaced

*Updated – 7:15am 5th September 2011

The Guardian have interviewed the Turkish hackers that instigated the attack on the various high-profile websites.

*Updated – 8:10am 5th September 2011

The Register have now posted an article explaining a little about what happened.



  1. Looks like a jackass randomly targeting any old Web sites he can manage to compromise, for no other purpose than to get notoriety for himself. He took a kitchen-sink approach and these are the ones that went down the drain. There’s no obvious ethical or political agenda at work in breaching those wildly different sites.

  2. I doubt the website it self was hacked, looks like some trickery with the DNS servers meaning you are actually being sent to a completely different website. Worst part is if they wanted to, they could just make their “fake” site look like the real thing, and steal user passwords and such without people ever knowing.

  3. Appears to be a registration attack. According to Netcraft the site moved to BlueMile today, September 4, 2011. Other sites hosted there are mostly porn.

    Netblock Owner IP address OS Web Server Last changed
    Bluemile, Inc 226 N. 5th St Suite 300 Columbus OH US 43215 Linux Apache/2.2.17 Unix mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ mod_perl/2.0.4 Perl/v5.8.8 4-Sep-2011

  4. All these sites work fine for me, from Ireland.

    Is it more likely your ISP has had their recursive nameservers hacked? Or maybe a root server close to you?

    dig trace NS is giving the correct results from Irish and UK servers.

  5. 600 IN A 600 IN NS

    It loos fine from here. Perhaps the DNS problem is on your end?

      1. Right. Perhaps the others are using the same cache-poisoned or compromised nameserver as you. But I assure you, is resolving fine and the website is up.

  6. My own recursing named nameserver resolves fine.
    dig any @ # this works fine too. But:
    dig any @ # ouch! 37457 IN NS 37457 IN NS 1631 IN A is not actually a public nameserver, but it has been left open for a long time. Are you using it? If so, stop.

  7. Domain name attacks like this can be done via social engineering, such as password recovery or actually tricking somebody at the DNS registrar to disclosing info. This has been around forever, albeit not a full system compromise but ugly as it takes a long time to clear up.


    So this was real, and as others have said, it was a compromise at the registrar, not at The Register. The probable reason why I did not see it: the parent domain changes had been reversed before I checked.

    This incident is a good example of why I recommend NOT using one’s ISP nameservers. The benefit of cache hits being slightly faster is offset by the TTL being, on average, half of what you would get by doing your own recursion to the authoritative NS. And then you get to share in the cache poisoning with all the other users.

    Yes, my recursive resolver could get a poisoned cache as well, but the window of opportunity for mischief is much smaller. And I can flush the cache if I suspect something is amiss.

Comments are closed.