Websites of The Daily Telegraph, The Register, UPS, BetFair, National Geographic, and other sites have fallen victim to a DNS hack over the past hour which has redirected users to third party webpages like the one above shown to people trying to access theregister.co.uk. The sites themselves were not hacked, but the hackers managed to access and alter the DNS records of the sites, in effect pointing users elsewhere.
The message reads:
TurkGuvengligi
“Gel Babana”
HACKED
“h4ck1n9 is not a cr1m3”
“4 Sept. We TurkGuvenligi declare this day as World Hackes Day – Have fun ;) h4ck y0u”
It appears the hack was purely for attention with the hackers not promoting any particular affiliation or demands and no not appear to be spreading malware – a relief for everyone involved. That said, users should not attempt to login at any of the affected sites, or even visit them if they have enabled “keep me logged in” cookies, as the hacker may be able to intercept usernames and passwords until the DNS problems have propogated around the internet – something that may take several hours.
To explain a little what DNS servers are and how they work – they are the computers that translate the web addresses we all use to access websites (eg. techfruit.com) into a series of numbers called IP addresses that correspond to the actual server where that website is hosted (TechFruit is on 213.229.119.97 – a server in London). These hackers, going by the name of TurkGuvengligi, appear to have been able to access the DNS control panel at Ascio or NetNames (the company that each effected company uses as their registrar) via an SQL injection, and managed to change the records to point users from telegraph.co.uk and betfair.com to the servers to other sites of their choosing.
[Sources: Sophos / Zone-H / Alex Norcliffe]
[Screenshot by Paul Mutton]
Pingback: DNS Server Hack Causes Problems For Company Websites | Preventia Information Security