Isn't this the on-line version of scrawling graffiti onto roadsigns? We don't have a news story each time that happens.
Edit: before anyone says "well, why did you read this then?", I'm procrastinating.
Surfers visiting the eBay and PayPal UK websites were redirected to defacement pages instead following a DNS hack for which the Syrian Electronic Army has claimed responsibility. The hijacking of surfers instigated by the pro-Assad hacktivists only persisted for a short period over the weekend before normality was restored. …
"a very small subset of people visiting a few marketing web pages of PayPal France, UK"
A FEW marketing pages? The FRONT PAGE, ie. ebay.co.uk was hijacked for two hours, and visitors' cookies would have been spewing to the rogue server. I didn't check PayPal at the time (I was an affected user) but I assume it was the same.
They changed the DNS servers to a couple of random ones. If the attacker had been more malevolent they could have put a fake login form on and had a field day.
An interesting problem is that when whoever owned the server that was hosting the hijack page discovered the problem they disabled the account, which 301 redirected to a "site suspended" page. On many browsers a 301 is cached for a very long time, so when the affected people visit ebay.co.uk they will be redirected to something like www.ebay.co.uk/cgi-bin/suspended.cgi (which 404s) until they clear their cache.
DNS lookups for ebay.co.uk kept on failing for me. Firefox 'could not find' etc.
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> ebay.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10658
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ebay.co.uk. IN A
;; Query time: 29 msec
However on one occasion I ended up with a decidedly non-ebay looking 'page not found' error page...
"http://www.ebay.co.uk/cgi-sys/defaultwebpage.cgi
If you feel you have reached this page in error, please contact the web site owner:
webmaster@ebay.co.uk
It may be possible to restore access to this site by following these instructions for clearing your dns cache.
If you are the web site owner, it is possible you have reached this page because:
The IP address has changed.
There has been a server misconfiguration.
The site may have been moved to a different server.
If you are the owner of this website and were not expecting to see this page, please contact your hosting provider."
At that time the DNS reported..
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> ebay.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56542
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;ebay.co.uk. IN A
;; ANSWER SECTION:
ebay.co.uk. 106 IN A 23.238.230.225
;; AUTHORITY SECTION:
ebay.co.uk. 72106 IN NS ns1.dnforu.com.
ebay.co.uk. 72106 IN NS ns2.dnforu.com.
;; Query time: 30 msec
This was via SKY DNS. I reported this to ebay via online chat. The 'problem' did eventually resolve itself but it all seemed 'very suspicious'.
This is what I saw at around 16:48:
http://imgur.com/cyS0TXJ
It reverted to a cPanel default page fairly quickly, and then the DNS entries were dropped from the "dnforu" servers.
This was the Nominet whois at the same time, clearly showing the rogue DNS servers:
http://imgur.com/eCkoGkL
It was like that for at least an hour and a half, a crazy slow response. I assume they were locked out of the Markmonitor systems!
I appreciate the goal of PR is to manage the negative publicity, but in most of the reports that came out about this over the weekend there was a tweeted screenshot of a supposedly internal email from Paul Whitted (eg: http://www.zdnet.com/ebay-and-paypal-uk-domains-hacked-by-syrian-electronic-army-7000025854/).
This email appears to be confirming the fact they were hacked and suggesting people move onto a secure comms channel.
Is this a normal response for an advertising site defacement and, if legit, how did this email leak?
"The hijacking involved changing entries in the online lookup table that translates PayPal.co.uk to an IP address computers use to route surfing requests"
Also known as a Domain Name System (DNS), something I would have thought most people here would be familiar with. I don't see how PayPal could claim that 'no accounts were ever in any danger of being compromised`, seeing as if the hackers had created a fake PayPal login page and then redirected them to the real one, they could have been harvesting login credentials for ages. Which leads to the question of who was hosting the PayPal DNS entry and why didn't they notice the hack?