A DNS server was hacked last night resulting in a number of major websites being subject to defacement and redirection.
The websites of Vodafone, Betfair, Acer, National Geographic and the Telegraph and the Register were all victims to the hacking of registrar NetNames. The pages were replaced with an image and a message that read: “h4ck1n9 is not a cr1m34. Sept. We TurkGuvenligi declare this day as World Hackers Day - Have fun ;) h4ck y0u.”
Identifying themselves as the group behind the attack was ‘TurkGuvenligi' or ‘TG', who are yet to comment on their Twitter page but did speak to the Guardian, confirming that it had been planning this attack specifically as to take down a harder target ‘makes it funnier'.
While the interview did not say how the attack was conducted, TG did say that it would usually target a specific site but if there is no vulnerability on the site script, it would try accessing a server or a virtual private server and if neither of those works, it would try the domain company.
According to Zone-H, the attackers managed to hack into the DNS panel of NetNames using a SQL injection and modified the configuration of arbitrary sites, to use their own DNS (ns1.yumurtakabugu.com and ns2.yumurtakabugu.com) and redirect those websites to a defaced page.
A statement by the Register confirmed that its website had not been breached and as far as it could tell, there was no attempt to penetrate its systems. “Our DNS records were restored to normal after three hours or so. If you still see a defaced page, turning your equipment on and off again may help: there are DNS caches in your browser, OS, routers and at your ISP. Any of these could contain dodgy info,” it said.
Looking at the message left on the defaced websites, Graham Cluley, senior technology consultant at Sophos, said that the phrase ‘Gel Babana' is Turkish for ‘Come to Papa', while ‘Guvenligi' is Turkish for ‘Security'.
“In many ways we have to be grateful that the message displayed appears to be graffiti, rather than an attempt to phish information from users or install malware,” he said.
Aziz Maakaroun, managing partner of Outpost24 UK, said: “The most interesting information about this attack, however, comes from the mouths of the hackers themselves. They are obviously tenacious people, happy to wait for ‘months' to find a vulnerability that allows them to break in to a supposedly secure website. They also see their actions as just a game, whereby the harder the website is to hack, the ‘funnier' it becomes when it is breached.
“Unfortunately for the organisation affected, the reality of the situation is somewhat different, particularly when viewed through the prism of other recent high profile attacks.”
NetNames confirmed that all systems were restored on Sunday night. The full list of sites affected can be found here, courtesy of Zone-H.
Picture courtesy of @paulmutton.