On early Sunday evening, UK time, The DNS records of many websites, including those of The Register and The Telegraph, were hijacked and redirected to a third party webpage controlled by Turkish hackers. The Register's website was not breached. And as far as we can tell there was no attempt to penetrate our systems. But we shut …
Shame it didn't last longer
I was looking forward to a more productive week :-)
The El Reg Internets have gone w i d e - s c r e e n
And a scroll bar for the article summary text
That goes all the way to the bottom of the page.
And that the downvote button renders over the top of.
AnonyTurk or TurkSec or LulzTurk?
They are not hackers, they are defacers.
Anyone who feels the Freudian Itch to put his nationality in front of his "exploits" is dubious at best anyway.
Re: AnonyTurk or TurkSec or LulzTurk?
.....or just the young turks of Anonymous.....?
need help here
how does switching my computer on and off - the answer of fuckwit it support to any question - help if it's an upstream dns server that's got the bad data?
Re: need help here
For the record we have checked our DNS records using the following:
http://dns.squish.net shows no problem.
We've checked each dns server manually, and from two non reg hosts/ one worked fine, one not so much -- the latter, stale DNS.
If anyone has any ideas on how to persuade DNS server operators / ISPs to update their records more quickly we are all ears.
And if you fancy resolving to our IP addresses:
126.96.36.199 or 188.8.131.52 - former is US, latter is UK. Both are fine.
"update their records more quickly"
Re: need help here
In future, reduce the TTL on your dns records, but it will mean a higher load on the dns server.
Your webmaster needs to understand...
... the magic trick known as "dig +trace". It'll show how it goes about resolving, say, theregister.co.uk:
$ dig +trace theregister.co.uk
; <<>> DiG 9.6.1-P1 <<>> +trace theregister.co.uk
;; global options: +cmd
. 247532 IN NS k.root-servers.net.
. 247532 IN NS j.root-servers.net.
. 247532 IN NS a.root-servers.net.
. 247532 IN NS m.root-servers.net.
. 247532 IN NS b.root-servers.net.
. 247532 IN NS i.root-servers.net.
. 247532 IN NS h.root-servers.net.
. 247532 IN NS e.root-servers.net.
. 247532 IN NS g.root-servers.net.
. 247532 IN NS d.root-servers.net.
. 247532 IN NS l.root-servers.net.
. 247532 IN NS f.root-servers.net.
. 247532 IN NS c.root-servers.net.
;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 6 ms
uk. 172800 IN NS ns2.nic.uk.
uk. 172800 IN NS ns6.nic.uk.
uk. 172800 IN NS ns5.nic.uk.
uk. 172800 IN NS ns7.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 172800 IN NS ns3.nic.uk.
uk. 172800 IN NS nsa.nic.uk.
uk. 172800 IN NS ns1.nic.uk.
uk. 172800 IN NS ns4.nic.uk.
;; Received 497 bytes from 184.108.40.206#53(m.root-servers.net) in 32 ms
theregister.co.uk. 172800 IN NS ns6.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns3.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns1.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns5.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns2.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns4.theregister.co.uk.
;; Received 239 bytes from 220.127.116.11#53(ns2.nic.uk) in 26 ms
*** AND HERE IT STOPS ***
The next stop would've been a query directed to one of the NSes listed and an answer containing an A record for theregister.co.uk. Since that's missing I had to ask them by hand (their A records are conveniently listed in the whois) and stuffed them in /etc/hosts, allowing me to get my commentarding fix.
Why does it stop? Because it doesn't know how to go on. To ask for theregister.co.uk it just got told to ask ns[1-6].theregister.co.uk and to resolve, say, ns1.theregister.co.uk it first needs to ask about theregister.co.uk. And so it hangs. The fix for that is called "glue records", where the previous server also gets told the A records to go with the nameservers. That is, the answer should've looked much like this except there should've been a bunch of A records for ns[1-6] in the same answer packet. Your webmaster is expected to understand this.
Also a minor point of bitching about how the webform b0rks the formatting here.
If only it were that simple
Quite a few ISPs seem to ignore TTLs that are set below their preferences. 1800 seconds (30 mins) seems to be a practical lower bound.
Reducing TTL on the proper records won't help; caching of the incorrect results will be down to whatever TTL the hackers' DNS server returns with the A records (but typically a name resolver will cap the TTL to a certain value if it's excessive).
I thought I was seeing things last night
When I saw the defacement page.
I was about to drop a mail as could get to the page if I put in the www at the beginning and I did not know of the twitter account (now bookmakred) but thought you'd probably be aware.
Maybe its time we sent DNS change requests to registrars using PGP signed mail just as they do to the Nominet Automaton automated system?
PGP Signing was not/is not the issue...
re PGP signing...
Um well the change of nameservers for theregister.co.uk would have required a secured request from netnames to Nominet, so the issue isn't that the nameserver changes aren't controlled/signed/restricted, more that if you use a registrar like netnames that has a "control panel" and automates that, breeching that defeats the other.
the reg could have a nominet account itself and not need a third party, not have a control panel and problem solved, or use someone like my company which for this very reason has no such automation - much harder to compromise something if there is nothing to compromise!
This leaves us with the human hijacking and compromise issues, which are more readily dealt with using a shotgun.
 Obviously we wouldn't use one.
Gah So close
This leaves us with the human hijacking and compromise issues, which are more readily dealt with using a shotgun.
 Obviously we wouldn't use one.
You almost had a new customer until you said you wouldn't resort to a shotgun to protect my DNS from hijack!
You've reinforced my point.
Time to do away with registrars and deal with registries direclty?
Reg entrance exam ?
Looks like a plot to me .. The Reg always looking for talent in it's IT department ( eat your heart out BOFH. ) the boyos defaced to prove their worth and will soon be hired in the Reg's internet security department. In other words , they defaced to get jobs :) It was not malicious at all .. no really . it was all a plot to get cushy jobs in Vulture Central to get out of the misery they face in Turkey .. So be good sports and hire them already :)
And do remember to feed a hungry programmer today :)
Looks to me like their 1337 skillz may be somewhat out of date, if the "copyright 2005" at the bottom of the page is anything to go by...
Their server is also running mod_frontpage. 1337 5ki11z indeed.
One thing I've noticed
is that as of this morning Australian time, and still as of this post, theregister.co.uk now gives me a DNS error. Interestingly, if I connect to the VPN service I subscribe to (VyprVPN), I can reach the site (which is why your logs for this post would show me as coming from Amsterdam instead of Australia.) Most likely my ISP has cached the error and hasn't caught up yet. So it's also a good test of the censorship-bypassing abilities of the VPN, since a DNS failure at the local level is similar to the effect that the Great Aussie Firewall would have if it were in place, which is the reason I subscribed to the VPN service in the first place.
Wondered what was going on last night
I didn't see the defacement page, just got site unavialable type error messages. For a (brief) while I thought my router had dropped connection but then everything else worked ok. Glad to see you back this morning, if you weren't I might have to do some work!
If you still see defaced site, it may be a sign
I think your ISP doesn't run a well managed DNS server and it seems it is time to switch to opendns.com or google dns. I can never use google services of that kind but it exists.
Badly managed dns servers can create way more serious problems than couple of defaced sites, especially in days every ssl provider manages to get "hacked" or socially engineered.
While on it, "repair my internet connection" (or whatever its called) will also clear system dns caches on windows, it is easier for newbies. For routers? Power cycle.
Repair internet connection?
Just use ipconfig /flushdns ...
These "hackers" smash a load of windows, digitally speaking, and the Grauniad contacts them the same day and politely publishes their comments ? That's innapropriate. There was no angle here. It was mindless vandalism of other people's property. The fact it involved computers does not change that. Hey, Turkguvenligi, why don't you GET A JOB like the rest of us.
If you still see a defaced site, it just means that your ISP's DNS servers are caching the bad entries, as per the DNS specifications. The bad records had a 24 hour TTL, so should expire between 8pm and 11pm UK time tonight.
even the 24 hour ttl can be fixed
The Register and the other defaced sites are famous and popular, old school news sites. So, it was all over the tech news sites especially because The Register was one of the victims ;)
So, someone serious at managing could manually update the dns of the particular zone. That is the "seriously managed isp" I talk about. I know one did, not a big deal.
DNS servers are the least cared boxes in ISPs. So, some third parties coming with the idea "we can invent in this dinosaur aged protocol" are my choice, unless I settle somewhere and run my own dns server.
if they'd actually used any of the Sec tools against their web interface they'd have found
at least that one SQL injection attack open. Security is prime? my arse.
They should be careful about new trend
New trend is: "You don't care? Good bye" as seen with that poor dutch ssl provider. First time Mozilla and MS showed no mercy, purged their root.
Things got way complex these days, even I security check a stupidly simple, easily readable php contact form on a website I manage. It is also damn easy, especially if you can/will pay for it.
Glad to hear all is well
I missed the redirection bit of all this and just found the site down this morning. Reghardware is clearly made of stronger stuff (or, more likely, registered with another organisation?) as that was available without needing to consider resorting to a direct IP address connection.
I for one condemn our attempted new Reg overlords.
Why didn't they
Map the name servers which are ns1.theregister.co.uk etc to the IP of their own nameserver and extend the TTL and get
at least 24 hours depending on the internal cache rules of those queries made after the hack / max-cache-ttl/
Would have been neater.
Although looking at it yumurtakabugu.com doesn't have it's own NS but uses active-dns.com. Still would only take a few minutes
to set one up.
I find it weird that theregister: an authority on everything hacking is hacked by Turkish hackers/criminals...lol
@The main man "Funny really"
I guess you don't know what you're talking about, and didn't understand the article. The hack was targeted at a company called NetNames. The fact the The Register's website was affected was not their fault.
An analogy that gives you the idea of the extent of The Register's culpability in this scenario would be to imagine that The Register were a customer of Tesco. So one day The Register are inside Tesco doing their shopping and then Mr T drives through the Tesco car park in his tank crushing a random selection of cars in the car park. If you find The Register at fault for parking in the wrong space, then you find them at fault for this website defacement too.
Or did I just get trolled?
I can't get to the site via direct IP or dns with IDNet, which is strange.
Opera Turbo works fine though. I'll just use that till tomorrow and see if it's back again on regular browsers, etc.
How terribly odd.
I suppose that 24hr ttl must have expired at my ISP.
No To NATO
I work at a certain fairly hugish Belgian NATO site. Haven't had El Reg all day! It just doesn't resolve. Boo hoo!
Will obviously try again tomorrow.
Just a reminder.
I have no idea how to force my ISP to do it, but just in case...
And El Reg was not hacked... but their ISP was. Namely the DNS resolver.
Or something along that line.
You know, Windows user.
I'm confused, when hackers were targetting Sony, that was good, you gave them plenty of press, even encouraging them by your vicious reporting.
Now YOU are the target, it's not so funny?
Please tell me what to think this week, it's hard to keep up...
Re: Hang on....
You are deluded or a Sony shill. Or both.
We were not hacked - Sony was. More than once, spilling tens of millions of records in the worst breach.
We have never encouraged anyone to hack anything.
It was all very well getting instructions to edit hosts files with the IP but that only worked to get onto the site,couldn't access any comments and a lot of pages on the reg were still unable to resolve,even after the hosts edit. I was able to do some basic reading using google cache and muttering about how everyone else seemed to be able to get on with no problems.
Obvious Helpful Measure
If, when I go to a web site, its IP address has changed since the last time I visited it, the browser should prompt me, and ask if I want to go to the old address or the new one.
After all, normally, browsers keep a browser history, and they go out and get the IP address from the URL before fetching the page with the IP address, so the information is there. Naturally, this is an extra pop-up when a page legitimately changes, but when people see the old page really isn't there, then they can proceed based on the change apparently being legitimate.
Nothing here all day
Even If I typed in the IP of El Reg
I think the ISP must have "pulled the plug".
Hey man - you seemed to have gone offline for a bit?
No Reg! I very nearly just about maybe shivered a little! Does the perp know about the world of pain concept yet?
Some Turkish translations
Just in case anyone cared to know:
Turkish is an agglutinative language and very idiomatic.
güven - feeling of being safe or secure
güvenlik - security, safety (think of lik as roughly meaning with)
Turkgüvenliği - Turk related security, safety? (Obviously there is some heavy irony and idiom here.)
yumurta - egg..... or testicle!
kabuk - outer covering; eggshell
yumurta kabuğu - more verbose way of saying eggshell; scrotum is usually haya torbası
So would you trust a DNS named "eggshell" or what could be a veiled reference to scrotum?
Maybe you can see now why the Turks might be getting more of a kick out of this than you thought. Like if you got everyone to use a DNS server called up1.gentlemanssausage.net. Hehehehehehe
The need for seeing eye dogs...
Look Presbyopia strikes us all (it started happening to me at age 50). No need to go to the fondleslab version of things, as there is a nice plugin for Firefox named "NoSquint" that puts things in a proper perspective (render things at 120% text).
Unfortunately not all web sites (thanks for being kind ElReg!) aren't up to the task and you get overlaid text (or worse!). Unfortunately, many of these sites are ones used by employers, or their agents, and they don't work well at all. But I seem to get through, which may be part of the test. (*SIGH*)
I sent in a radioactively hot response to some commentard Sunday and when I couldn't get back this morning - thought I had seriously pissed somebody off at el Reg... I am relieved.
Seeing as SSL and DNS lately seem to be the targets du jour
I've just installed the following Firefox addons...
DNSSEC Validator (changing the preferences to use OARC's validator)
I've imported CACert.org's two root certificates, added CACert.org's revoke list to auto-update in Firefox, and made everything validate via OCSP with CACert Class 3 Root - Root CA and when a connection fails treat the certificate as invalid.
Also, before I had my ISP's secondary DNS as my primary DNS server and OpenDNS's secondary DNS as my secondary DNS server. Now as my ISP have demonstrated they're useless at DNS it's OpenDNS all the way.
Any other suggestions welcome.
Any other suggestions welcome...
...Yep, I used Comodo DNS but surprisingly just changed to Norton DNS after seeing a useful comparison on Youtube
"While no-one can completely defend against such sustained and concentrated malicious attacks ..."
... defending against SQL Injection is on the other hand actually, very easy and we are desperately ashamed that we demonstrated such rank incompetence that we left such a gaping hole in our security systems, thereby proving our claim to that our customers privacy and security are of paramount importance to be a barefaced lie issued by our marketing department without prior vetting by our technical or legal teams.
That *is* the way that quote continued, isn't it ?
Glad to have you back El Reg.
beg to differ
"While no-one can completely defend against such sustained and concentrated malicious attacks ... "
if it was SQL injection, then yes you can completely defend against "little bobby tables" and all his "insert into dns..." chums.
Unless of couse it wan't SQL injection in the deeply orthodox sense.
I;ve only 4 words .. 'Welcome back, The Register' :)
- Analysis iPhone 6: The final straw for Android makers eaten alive by the data parasite?
- First Crack Man buys iPHONE 6 and DROPS IT to SMASH on PURPOSE
- TOR users become FBI's No.1 hacking target after legal power grab
- Vid Reg bloke zips through an iPHONE 6 queue from ZERO to 60 SECONDS
- Analysis Why Oracle CEO Larry Ellison had to go ... Except he hasn't