back to article DNS hijack hits The Register: All well

On early Sunday evening, UK time, The DNS records of many websites, including those of The Register and The Telegraph, were hijacked and redirected to a third party webpage controlled by Turkish hackers. The Register's website was not breached. And as far as we can tell there was no attempt to penetrate our systems. But we …

COMMENTS

This topic is closed for new posts.
  1. Stefing
    FAIL

    The Grauniad...

    has better coverage: http://www.guardian.co.uk/technology/2011/sep/05/dns-hackers-telegraph-interview and http://www.guardian.co.uk/technology/2011/sep/05/turkish-hacker-group-diverts-users

    1. Drewc (Written by Reg staff) Gold badge

      Re: The Grauniad...

      We linked to Sophos, zone-h accounts and Guardian interview in the story. What more do you want!

      1. Stefing

        Dur...

        It wasn't in the original story - very little was!

        1. Drewc (Written by Reg staff) Gold badge

          Re: Dur...

          I think you are referring to our status update from yesterday?

          My story today contained links to all three sources - Honest! OK not Sophos at first - forgot to put in the html (thanks to everyone for the catch).

          1. Jedit
            Pint

            Silly Drew...

            ... why didn't you just blame the Turkish hackers for the missing links?

      2. Anonymous Coward
        Thumb Up

        Re: What more do you want!

        An eye test, methinks.

        1. Stefing
          FAIL

          Re: DUR!

          The original story didn't contain those links when I posted that comment - otherwise why would I post it?!

          "Methinks"!

  2. Anonymous Coward
    Anonymous Coward

    One more reason to send hackers to prison

    The only good hacker is dead... or at least in prison for 15 years.

  3. OMGROFLSKATES
    Coat

    Biting the hand....

    that feeds it....

    Winning.

    Obligatory hat and coat already donned.

  4. lupine
    Mushroom

    and

    they don’t like it up ’em...

  5. Anonymous Coward
    Alert

    How do I know I'm not posting this in a spoofed Turkish site?

    The Comments page looks different, with Forums, my posts etc listed below the comments rather than to the right as was before.

    Thanks for being up-front and open. Glad my password for this site is unique.

  6. jake Silver badge

    Betcha a nickle ...

    ... that the annonytwats will clam "responsibility" ... for small values of responsibility.

    1. Drewc (Written by Reg staff) Gold badge

      Re: How do I know I'm not posting this in a spoofed Turkish site?

      You can relax on that score. We upgraded our forums code last week. Most of the changes are not user visible.

    2. I understand now
      Alien

      Oh come on!

      Didn't you watch Independence Day?

      Hackers will one day save the world.

      1. Jason Bloomberg Silver badge
        FAIL

        Some changes very visible ...

        Like comments now stretching beyond the 800 pixel width of the screen I'm using to view them on.

        Such complaints used to be dismissed with a, "get with the programme, stop being a Luddite; time for a sensible-sized monitor". That was never an entirely valid response to the problem and less so with the proliferation of hand-held and mobile devices.

        Oh well, time to write another Greasemonkey script to re-render the pages to fit :-(

        1. Anonymous Coward
          Facepalm

          @Jason

          Get with the times grandad, we all have mobile devices with a higher resolution than the crap you're using.

          1. AndrueC Silver badge
            Childcatcher

            Just you wait..

            ..until you're older. I have an HTC Desire and I struggle at times to read the text. I almost have to remove my glasses now and might have to switch to varifocals. I'm holding out until it gets so bad that I can't read my laptop screen easily.

            I'm only 44.

            http://www.nia.nih.gov/healthinformation/publications/eyes.htm

            In my case Presbyopia began to kick in at age 39. That was after let's call it twenty years of using a computer (excluding playing games on a Sinclair Spectrum). So don't be so smug. Hopefully there'll be a revolution in display technology for mobile devices before it hits you.

            Still - the important point to note:You don't have to be 'old and frail' to start having problems.

            1. Synonymous Howard

              @Just you wait..

              I'm 45 and have just noticed the glasses on / glasses off issue with my new Macbook Air 11" ... so I will have to keep using the "applekey +" keystrokes to enlarge the text until I get the firm to pay for varifocals.

              Still not bad for 32 years of VDU squinting and I've always been myopic .. just waiting until I get 20/20 vision when I'm 80+

              1. Simon Harris Silver badge
                Unhappy

                Varifocals bahhh!

                I went to varifocals last year (at 45) ...

                Hate them - find I can't keep everything on the screen in focus without nodding my head all the time!

                I think I'll go back to single focus and taking them off for reading next time I change them!

                1. AndrueC Silver badge

                  A bit off-topic

                  ..but did you go to Specsavers? Several of my Dad's friends have said theirs are a lot better than other brands. Something about Specsavers using a larger degree of separation or somesuch.

        2. jonathanb Silver badge

          Re: mobile comments

          Use m.theregister.co.uk if you are using a mobile device, then the comments will fit perfectly to your screen width.

        3. Dan 55 Silver badge

          Get with the programme, grandad!

          Mobile devices are covered with m.register.co.uk, with the unfortunate omission of icons when posting a message (which I get round by knocking off the m. at the start of the address when replying to a post). I hope someone at Vulture Central takes the hint and adds post icons to the mobile version of the website.

          In fact I'm using m.theregister.co.uk from my desktop as something somewhere still has www.theregister.co.uk in its DNS cache poisoned.

        4. Robert Carnegie Silver badge

          "Oh well, time to write another Greasemonkey script"

          Sure, if your web browser can't either zoom the page to a useable compromise size - your definition of "useable" - or, in the case of Opera, squeeze the stuff onto the screen itself - not guaranteed. Disabling the site's CSS may also help.

          I'm no longer using a tablet in portrait orientation, 480x800, for this, and that's probably a good thing.

        5. Drewc (Written by Reg staff) Gold badge

          Re: Some changes very visible ...

          Fixed.

      2. Tim Jenkins

        David Levinson ruled 0K!

        Yup - our l33t hackers will hijack the aliens DNS, causing them to die of acute embarrasment when their invasion webpages redirect...

        (which is actually slightly more likely than the Powerbook-virus-transfer-to-the-mothership-mainframe-via-AppleTalk trick, tbh)

        http://starringthecomputer.com/computer.php?c=54

      3. Robert Brockway
        Linux

        Yeah sure :)

        That's exactly what _they_ would say isn't it? :)

    3. jonathanb Silver badge

      Not all of them

      There are lots of good hackers who do amazingly cool things with computers, like program a graphics calculator to show Star Wars.

      It's the script kiddies, who aren't even proper hackers, who need to go to jail.

      1. J.G.Harston Silver badge
        FAIL

        "There are lots of good hackers who do amazingly cool things with computers

        ...like program a graphics calculator to show Star Wars."

        That's not hacking, that's programming.

        (PS: Your logon tab order is all wrong, it goes from username to forgotten password instead of to password)

      2. Stoneshop Silver badge
        Mushroom

        Hackers vs. cracker

        I consider myself a hacker (in the original sense of the word, and not limited to software or computer either), and the way I'd like to deal with the cracker/script kiddie end of the scale it through the business end of an AK47, or copious amounts of C4. Oh, and that includes spammers too. After buggering them with a splintery broomstick lovingly marinated in Mad Dog 44 Magnum Pepper Extract (look up its Scoville rating if the name is not explicit enough)

        1. SirTainleyBarking
          Devil

          Hmmm Tasty

          4 Million on the scale, and doesn't seem to be a nice foodstuff

          http://youtu.be/PBl2867xcHs

          More like a chemical weapon

      3. Robert Brockway
        Linux

        Definitions

        The problem is the term hacker has as many as three distinct meanings in computing:

        (1) Originally someone who hacked out code. Not necessarily a compliment.

        (2) Later it became a term used for a very good coder or someone who loved coding for its own sake.

        (3) Later still it was used (largely by the media) to describe crackers, script kiddies and even blackhats.

        The last two definitions are still in use. I avoid the term and always use an alternative as it is too easily misunderstood.

        1. jake Silver badge

          @Robert Brockway

          Almost, but not quite. See:

          http://www.dourish.com/goodies/jargon.html

          And that's a later-day version of the file I first ran across at Stanford in ~1976. If I remember correctly, back then it was called "AIWORD.RF". Hacking wasn't just about software, it also involved modifying chassis with hacksaws to make parts fit. The license plate frame on my daily driver has read "Beware of programmers who carry screwdrivers" for several decades ...

  7. Anonymous Coward
    Joke

    Er...

    "If you still see a defaced page, turning your equipment on and off again may help:"

    How could I read that if I saw a defaced page?

    But seriously, welcome back.

    1. Drewc (Written by Reg staff) Gold badge

      Re: Er...

      Too true - but no harm in giving some broad end user advice. It may get to the right hands...

      1. Heironymous Coward
        IT Angle

        power cycle cult

        Anyone who isn't familiar with the term "Did you try turning it off and on again?" doesn't deserve to be allowed to read el Reg..

        1. Ilgaz

          OS X and Windows says it too

          OS X has a lovely "Try turning off and on again" and "Are there any devices you can turn off and on?" messages in their assistants.

          IF end user router companies could agree on a simple standard for doing these simple tasks (e.g. a basic secured page relative to modem ip to reboot) , operating systems or even browsers could deal with the non standard and confusing interfaces.

          I rarely use modem's interface to reboot since I don't have time to browse 10 pages (some even have flash!) designed in that years cool asia page fashion.

          In fact, I once "fixed" friends car by just turning off motor and on, "like a freaking computer" (in his words). Seems the fuel computer of car freaked out a bit. :)

          1. Synonymous Howard
            Thumb Up

            turning your equipment on and off again may help

            Works for a lot of things to reset to a pre-configured state and its good to remind people of the simple solutions. Sometimes its easier to say "Dad, turn it off at the mains, wait a few seconds and then turn it on again" then to drive a few hundred miles just to perform hands-on diagnosis and reach the same conclusion.

            I'm sure lots of enterprises still run weekly "reboot server to clear memory leak" etc housekeeping actions ... its sad but true .. fixing the symptom is cheaper than upgrading the software stack. It used to be said that "Microsoft fix #1" was reboot/powercycle .. its the fix of last resort for Unix/Linux boxes though.

            My Smart Car has lost its marbles a couple of times refusing to change gear using its tiptronic controls .. so it was time to pull over, turn off and turn on again to fix .. interestingly it worked regardless of the number of windows I had opened.

            1. 404 Silver badge
              Pint

              Standard Procedure

              Replaced the air filter, plugs, cleaned MAF sensor and throttle body, and then reset BCU/ECU to relearn parameters in my 08 GMC Canyon 2.9L 4cyclinder truck. Have to do it again when my new ported throttle body shows up. Picky picky and likes throwing CEL codes. Determined to get 30mpg average out of this truck... Need to get it on a dyno and custom tuned but I digress....

              What was I on about?

              ;)

  8. The BigYin

    Motive?

    What is it that "Turk Guvenligi" are after? Are the protesting against the human rights abuses of the Turkish government or something? (e.g. Ilisu Dam)

    Or are they just doing it for the lulz?

    1. Anonymous Coward
      Anonymous Coward

      for the

      lulz.

      of course.

      I'm on a horse.

    2. Anonymous Coward
      Anonymous Coward

      lulz, they can't dare

      People supporting and controlling Turkish government can enter a top secret military facility without getting noticed, plant dvd-rs containing thousands of pages of rigged documents and call the police.

      Or. They can record thousands of people phone calls, daily activities and even bed activities and make them their puppet, especially if the person is in media.

      Current policy of UK and US Govt. is to support the .tr government so if you are British or American, you will never hear about these.

      Would you dare to protest such a government? It would be like setting up a pirate radio station in Berlin back in 1930s.

      I have a clue about who the idiot could be (like all .tr IT) but for this kind of pathetic lamer, best is not to advertise.

  9. Kevin (Just Kevin)

    Re; Mahatma Coat

    I've seen several sites containing an image of this Reg story so Reg users with contaminated DNS could read it there. Plus, as Drewc says, word of mouth helps.

    1. Anonymous Coward
      Joke

      @ Just Kevin

      I was joking, hence the joke icon

  10. Ian Emery Silver badge
    Coat

    So???

    How many tech savvy readers of El Reg are not prepared with DNS hijack/redirect warning addons for their browser ??

    (That will be IE users I suppose).

    (Flame proof coat)

  11. David Perry 2

    It did show me about 10am last night though

    That you're on apache 2.2.17 using various boltons incl openssl (which I've struggled to turn off on servers I have anything to do with admittedly) thanks to your error page footer.

    1. Lee Dowling Silver badge

      And?

      What exactly do you think matters about version numbers and extension names that The Reg shouldn't be showing them?

      There is nobody with a brain out there attacking servers but "ignoring" certain version numbers of Apache / modules because they look up-to-date. It's a pointless task because where there is no version number at all you'll probably try your exploit anyway because it almost certainly means someone who's scared of showing what ancient version they have running, and where a version number is returned it can easily be faked, and where it's not faked and not-out-of-date, it takes longer to check the version number against some magical list of "non-exploitable" Apache versions than it does just to try whatever exploit you're attempting anyway. And Apache version numbers mean nothing because even Debian/Ubuntu sometimes uses "old" versions of Apache that have been patched even if their version numbers aren't one of the "officially" fixed versions.

      SSH has as part of the protocol that you MUST give a version number out in the initial parts of the handshake (a lot of clients rely on it for feature detection etc.) and it's never been a problem in all the time that protocols been around (and, if anything, encourages people to upgrade!)

      If you're worried about showing your version numbers, you're scared about people finding out what you ACTUALLY run. That's more worrying than anything they could do with that information (which would be precisely ZERO because most attack tools are automated and just-don't-care about version numbers because they can try the entire exploit in the time it takes to find out the version of a remote server; in the same way that I still witness tons of SPF failures on email - because the people sending out spam just don't care or it's not worth the effort to bother to weed out SPF-enabled domains from their "fake-from-address" list).

      Someone in IT suggesting that someone else knowing what version number of a piece of software you run is like a mechanic saying that you should take the badges off your car so that people don't know it's a Ford in case they try all to break into it using methods that only work on Fords. 1) It fools no-one. 2) Car thieves aren't stupid enough to be stopped when their "Ford-only" exploit doesn't work. 3) A brick through the window works on pretty much every car in the world.

      1. Synonymous Howard

        @And?

        Whilst everything you say is "true" its also security best practice to remove identifing marks from protocols if only to pass the Penetration Tests.

        1. Pete B

          Synonymous Howard

          Too true: The testers have been happy enough with our "IIS 15.0" server for years!

  12. Henny
    FAIL

    Erm.....

    "If you still see a defaced page, turning your equipment on and off again may help"

    Actually, turning it OFF and then ON again is more likely to help....

    1. Stoneshop Silver badge
      Headmaster

      If the final state is 'off'

      you won't be seeing the defaced page either.

  13. Anonymous Coward
    Anonymous Coward

    Shame it didn't last longer

    I was looking forward to a more productive week :-)

  14. Anonymous Coward
    Windows

    The El Reg Internets have gone w i d e - s c r e e n

    Hmmmmm

    1. Anonymous Coward
      Anonymous Coward

      And a scroll bar for the article summary text

      That goes all the way to the bottom of the page.

      And that the downvote button renders over the top of.

  15. Destroy All Monsters Silver badge
    Unhappy

    AnonyTurk or TurkSec or LulzTurk?

    They are not hackers, they are defacers.

    Anyone who feels the Freudian Itch to put his nationality in front of his "exploits" is dubious at best anyway.

    1. TeeCee Gold badge
      Coat

      Re: AnonyTurk or TurkSec or LulzTurk?

      .....or just the young turks of Anonymous.....?

  16. Jim Morrow
    FAIL

    need help here

    how does switching my computer on and off - the answer of fuckwit it support to any question - help if it's an upstream dns server that's got the bad data?

    1. Drewc (Written by Reg staff) Gold badge

      Re: need help here

      For the record we have checked our DNS records using the following:

      http://dns.squish.net shows no problem.

      http://www.mxtoolbox.com/ same.

      We've checked each dns server manually, and from two non reg hosts/ one worked fine, one not so much -- the latter, stale DNS.

      If anyone has any ideas on how to persuade DNS server operators / ISPs to update their records more quickly we are all ears.

      And if you fancy resolving to our IP addresses:

      72.3.246.59 or 212.100.234.54 - former is US, latter is UK. Both are fine.

      1. Destroy All Monsters Silver badge
        Headmaster

        "update their records more quickly"

        LAWYERS!

      2. jonathanb Silver badge

        Re: need help here

        In future, reduce the TTL on your dns records, but it will mean a higher load on the dns server.

        1. Gianni Straniero

          If only it were that simple

          Quite a few ISPs seem to ignore TTLs that are set below their preferences. 1800 seconds (30 mins) seems to be a practical lower bound.

        2. sthen

          @jonathanb

          Reducing TTL on the proper records won't help; caching of the incorrect results will be down to whatever TTL the hackers' DNS server returns with the A records (but typically a name resolver will cap the TTL to a certain value if it's excessive).

      3. Anonymous Coward
        Anonymous Coward

        Your webmaster needs to understand...

        ... the magic trick known as "dig +trace". It'll show how it goes about resolving, say, theregister.co.uk:

        $ dig +trace theregister.co.uk

        ; <<>> DiG 9.6.1-P1 <<>> +trace theregister.co.uk

        ;; global options: +cmd

        . 247532 IN NS k.root-servers.net.

        . 247532 IN NS j.root-servers.net.

        . 247532 IN NS a.root-servers.net.

        . 247532 IN NS m.root-servers.net.

        . 247532 IN NS b.root-servers.net.

        . 247532 IN NS i.root-servers.net.

        . 247532 IN NS h.root-servers.net.

        . 247532 IN NS e.root-servers.net.

        . 247532 IN NS g.root-servers.net.

        . 247532 IN NS d.root-servers.net.

        . 247532 IN NS l.root-servers.net.

        . 247532 IN NS f.root-servers.net.

        . 247532 IN NS c.root-servers.net.

        ;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 6 ms

        uk. 172800 IN NS ns2.nic.uk.

        uk. 172800 IN NS ns6.nic.uk.

        uk. 172800 IN NS ns5.nic.uk.

        uk. 172800 IN NS ns7.nic.uk.

        uk. 172800 IN NS nsb.nic.uk.

        uk. 172800 IN NS nsc.nic.uk.

        uk. 172800 IN NS nsd.nic.uk.

        uk. 172800 IN NS ns3.nic.uk.

        uk. 172800 IN NS nsa.nic.uk.

        uk. 172800 IN NS ns1.nic.uk.

        uk. 172800 IN NS ns4.nic.uk.

        ;; Received 497 bytes from 202.12.27.33#53(m.root-servers.net) in 32 ms

        theregister.co.uk. 172800 IN NS ns6.theregister.co.uk.

        theregister.co.uk. 172800 IN NS ns3.theregister.co.uk.

        theregister.co.uk. 172800 IN NS ns1.theregister.co.uk.

        theregister.co.uk. 172800 IN NS ns5.theregister.co.uk.

        theregister.co.uk. 172800 IN NS ns2.theregister.co.uk.

        theregister.co.uk. 172800 IN NS ns4.theregister.co.uk.

        ;; Received 239 bytes from 217.79.164.131#53(ns2.nic.uk) in 26 ms

        *** AND HERE IT STOPS ***

        The next stop would've been a query directed to one of the NSes listed and an answer containing an A record for theregister.co.uk. Since that's missing I had to ask them by hand (their A records are conveniently listed in the whois) and stuffed them in /etc/hosts, allowing me to get my commentarding fix.

        Why does it stop? Because it doesn't know how to go on. To ask for theregister.co.uk it just got told to ask ns[1-6].theregister.co.uk and to resolve, say, ns1.theregister.co.uk it first needs to ask about theregister.co.uk. And so it hangs. The fix for that is called "glue records", where the previous server also gets told the A records to go with the nameservers. That is, the answer should've looked much like this except there should've been a bunch of A records for ns[1-6] in the same answer packet. Your webmaster is expected to understand this.

        Also a minor point of bitching about how the webform b0rks the formatting here.

  17. pctechxp

    I thought I was seeing things last night

    When I saw the defacement page.

    I was about to drop a mail as could get to the page if I put in the www at the beginning and I did not know of the twitter account (now bookmakred) but thought you'd probably be aware.

    Maybe its time we sent DNS change requests to registrars using PGP signed mail just as they do to the Nominet Automaton automated system?

    1. Vince
      Stop

      PGP Signing was not/is not the issue...

      re PGP signing...

      Um well the change of nameservers for theregister.co.uk would have required a secured request from netnames to Nominet, so the issue isn't that the nameserver changes aren't controlled/signed/restricted, more that if you use a registrar like netnames that has a "control panel" and automates that, breeching that defeats the other.

      the reg could have a nominet account itself and not need a third party, not have a control panel and problem solved, or use someone like my company which for this very reason has no such automation - much harder to compromise something if there is nothing to compromise!

      This leaves us with the human hijacking and compromise issues, which are more readily dealt with using a shotgun[1].

      [1] Obviously we wouldn't use one.

      1. Anonymous Coward
        Joke

        Gah So close

        This leaves us with the human hijacking and compromise issues, which are more readily dealt with using a shotgun[1].

        [1] Obviously we wouldn't use one.

        You almost had a new customer until you said you wouldn't resort to a shotgun to protect my DNS from hijack!

      2. pctechxp

        @Vince

        You've reinforced my point.

        Time to do away with registrars and deal with registries direclty?

  18. Steven Roper

    One thing I've noticed

    is that as of this morning Australian time, and still as of this post, theregister.co.uk now gives me a DNS error. Interestingly, if I connect to the VPN service I subscribe to (VyprVPN), I can reach the site (which is why your logs for this post would show me as coming from Amsterdam instead of Australia.) Most likely my ISP has cached the error and hasn't caught up yet. So it's also a good test of the censorship-bypassing abilities of the VPN, since a DNS failure at the local level is similar to the effect that the Great Aussie Firewall would have if it were in place, which is the reason I subscribed to the VPN service in the first place.

  19. FuzzyTheBear
    Pint

    Reg entrance exam ?

    Looks like a plot to me .. The Reg always looking for talent in it's IT department ( eat your heart out BOFH. ) the boyos defaced to prove their worth and will soon be hired in the Reg's internet security department. In other words , they defaced to get jobs :) It was not malicious at all .. no really . it was all a plot to get cushy jobs in Vulture Central to get out of the misery they face in Turkey .. So be good sports and hire them already :)

    And do remember to feed a hungry programmer today :)

    FuzzyTheBear

    1. Doogs

      Jobs?

      Looks to me like their 1337 skillz may be somewhat out of date, if the "copyright 2005" at the bottom of the page is anything to go by...

      1. Greem

        1337?

        Their server is also running mod_frontpage. 1337 5ki11z indeed.

  20. Dave Murray

    Wondered what was going on last night

    I didn't see the defacement page, just got site unavialable type error messages. For a (brief) while I thought my router had dropped connection but then everything else worked ok. Glad to see you back this morning, if you weren't I might have to do some work!

  21. Ilgaz

    If you still see defaced site, it may be a sign

    I think your ISP doesn't run a well managed DNS server and it seems it is time to switch to opendns.com or google dns. I can never use google services of that kind but it exists.

    Badly managed dns servers can create way more serious problems than couple of defaced sites, especially in days every ssl provider manages to get "hacked" or socially engineered.

    While on it, "repair my internet connection" (or whatever its called) will also clear system dns caches on windows, it is easier for newbies. For routers? Power cycle.

    1. Avalanche

      Repair internet connection?

      Just use ipconfig /flushdns ...

  22. Jim 59

    Grauniad

    These "hackers" smash a load of windows, digitally speaking, and the Grauniad contacts them the same day and politely publishes their comments ? That's innapropriate. There was no angle here. It was mindless vandalism of other people's property. The fact it involved computers does not change that. Hey, Turkguvenligi, why don't you GET A JOB like the rest of us.

  23. Anonymous Coward
    FAIL

    @Ilgaz

    If you still see a defaced site, it just means that your ISP's DNS servers are caching the bad entries, as per the DNS specifications. The bad records had a 24 hour TTL, so should expire between 8pm and 11pm UK time tonight.

    1. Ilgaz

      even the 24 hour ttl can be fixed

      The Register and the other defaced sites are famous and popular, old school news sites. So, it was all over the tech news sites especially because The Register was one of the victims ;)

      So, someone serious at managing could manually update the dns of the particular zone. That is the "seriously managed isp" I talk about. I know one did, not a big deal.

      DNS servers are the least cared boxes in ISPs. So, some third parties coming with the idea "we can invent in this dinosaur aged protocol" are my choice, unless I settle somewhere and run my own dns server.

  24. Matthew 3

    Glad to hear all is well

    I missed the redirection bit of all this and just found the site down this morning. Reghardware is clearly made of stronger stuff (or, more likely, registered with another organisation?) as that was available without needing to consider resorting to a direct IP address connection.

    I for one condemn our attempted new Reg overlords.

  25. Anonymous Coward
    FAIL

    junk excuse

    if they'd actually used any of the Sec tools against their web interface they'd have found

    at least that one SQL injection attack open. Security is prime? my arse.

    1. Ilgaz

      They should be careful about new trend

      New trend is: "You don't care? Good bye" as seen with that poor dutch ssl provider. First time Mozilla and MS showed no mercy, purged their root.

      Things got way complex these days, even I security check a stupidly simple, easily readable php contact form on a website I manage. It is also damn easy, especially if you can/will pay for it.

  26. Anonymous Coward
    Anonymous Coward

    Why didn't they

    Map the name servers which are ns1.theregister.co.uk etc to the IP of their own nameserver and extend the TTL and get

    at least 24 hours depending on the internal cache rules of those queries made after the hack / max-cache-ttl/

    Would have been neater.

    Although looking at it yumur​tak​abugu​.com doesn't have it's own NS but uses active-dns.com. Still would only take a few minutes

    to set one up.

  27. The main man

    Funny really

    I find it weird that theregister: an authority on everything hacking is hacked by Turkish hackers/criminals...lol

    1. This post has been deleted by its author

  28. Steven Raith

    Oddness.

    I can't get to the site via direct IP or dns with IDNet, which is strange.

    Opera Turbo works fine though. I'll just use that till tomorrow and see if it's back again on regular browsers, etc.

    How terribly odd.

    Steven R

    1. Steven Raith

      Aaaand....we're back.

      I suppose that 24hr ttl must have expired at my ISP.

      Hurrah, etc.

      Steven R

  29. Anonymous Coward
    Windows

    ipconfig /flushdns

    Just a reminder.

    Windows users.

    Me included.

    I have no idea how to force my ISP to do it, but just in case...

    And El Reg was not hacked... but their ISP was. Namely the DNS resolver.

    Or something along that line.

    You know, Windows user.

  30. Anonymous Coward
    Anonymous Coward

    No To NATO

    I work at a certain fairly hugish Belgian NATO site. Haven't had El Reg all day! It just doesn't resolve. Boo hoo!

    Will obviously try again tomorrow.

  31. Anonymous Coward
    FAIL

    Hang on....

    I'm confused, when hackers were targetting Sony, that was good, you gave them plenty of press, even encouraging them by your vicious reporting.

    Now YOU are the target, it's not so funny?

    Please tell me what to think this week, it's hard to keep up...

    1. Drewc (Written by Reg staff) Gold badge

      Re: Hang on....

      You are deluded or a Sony shill. Or both.

      We were not hacked - Sony was. More than once, spilling tens of millions of records in the worst breach.

      We have never encouraged anyone to hack anything.

  32. mrmond

    hosts files

    It was all very well getting instructions to edit hosts files with the IP but that only worked to get onto the site,couldn't access any comments and a lot of pages on the reg were still unable to resolve,even after the hosts edit. I was able to do some basic reading using google cache and muttering about how everyone else seemed to be able to get on with no problems.

  33. John Savard Silver badge

    Obvious Helpful Measure

    If, when I go to a web site, its IP address has changed since the last time I visited it, the browser should prompt me, and ask if I want to go to the old address or the new one.

    After all, normally, browsers keep a browser history, and they go out and get the IP address from the URL before fetching the page with the IP address, so the information is there. Naturally, this is an extra pop-up when a page legitimately changes, but when people see the old page really isn't there, then they can proceed based on the change apparently being legitimate.

  34. Mage Silver badge
    Unhappy

    Nothing here all day

    Even If I typed in the IP of El Reg

    I think the ISP must have "pulled the plug".

  35. Mr Young
    Happy

    Hey man - you seemed to have gone offline for a bit?

    No Reg! I very nearly just about maybe shivered a little! Does the perp know about the world of pain concept yet?

  36. Dan 55 Silver badge
    Black Helicopters

    Seeing as SSL and DNS lately seem to be the targets du jour

    I've just installed the following Firefox addons...

    Certificate Patrol

    DNSSEC Validator (changing the preferences to use OARC's validator)

    I've imported CACert.org's two root certificates, added CACert.org's revoke list to auto-update in Firefox, and made everything validate via OCSP with CACert Class 3 Root - Root CA and when a connection fails treat the certificate as invalid.

    Also, before I had my ISP's secondary DNS as my primary DNS server and OpenDNS's secondary DNS as my secondary DNS server. Now as my ISP have demonstrated they're useless at DNS it's OpenDNS all the way.

    Any other suggestions welcome.

  37. MNB

    beg to differ

    "While no-one can completely defend against such sustained and concentrated malicious attacks ... "

    if it was SQL injection, then yes you can completely defend against "little bobby tables" and all his "insert into dns..." chums.

    Unless of couse it wan't SQL injection in the deeply orthodox sense.

  38. Roberto99
    Happy

    Some Turkish translations

    Just in case anyone cared to know:

    Turkish is an agglutinative language and very idiomatic.

    güven - feeling of being safe or secure

    güvenlik - security, safety (think of lik as roughly meaning with)

    Turkgüvenliği - Turk related security, safety? (Obviously there is some heavy irony and idiom here.)

    yumurta - egg..... or testicle!

    kabuk - outer covering; eggshell

    yumur​ta k​abuğu - more verbose way of saying eggshell; scrotum is usually haya torbası

    So would you trust a DNS named "eggshell" or what could be a veiled reference to scrotum?

    Maybe you can see now why the Turks might be getting more of a kick out of this than you thought. Like if you got everyone to use a DNS server called up1.gentlemanssausage.net. Hehehehehehe

  39. 404 Silver badge
    Happy

    Good.

    I sent in a radioactively hot response to some commentard Sunday and when I couldn't get back this morning - thought I had seriously pissed somebody off at el Reg... I am relieved.

    ;)

  40. Jolyon Smith
    Holmes

    "While no-one can completely defend against such sustained and concentrated malicious attacks ..."

    ... defending against SQL Injection is on the other hand actually, very easy and we are desperately ashamed that we demonstrated such rank incompetence that we left such a gaping hole in our security systems, thereby proving our claim to that our customers privacy and security are of paramount importance to be a barefaced lie issued by our marketing department without prior vetting by our technical or legal teams.

    That *is* the way that quote continued, isn't it ?

    Glad to have you back El Reg.

  41. Herby Silver badge

    The need for seeing eye dogs...

    Look Presbyopia strikes us all (it started happening to me at age 50). No need to go to the fondleslab version of things, as there is a nice plugin for Firefox named "NoSquint" that puts things in a proper perspective (render things at 120% text).

    Unfortunately not all web sites (thanks for being kind ElReg!) aren't up to the task and you get overlaid text (or worse!). Unfortunately, many of these sites are ones used by employers, or their agents, and they don't work well at all. But I seem to get through, which may be part of the test. (*SIGH*)

    1. Anonymous Coward
      Anonymous Coward

      Any other suggestions welcome...

      ...Yep, I used Comodo DNS but surprisingly just changed to Norton DNS after seeing a useful comparison on Youtube

  42. Simon B
    Go

    Welcome back

    I;ve only 4 words .. 'Welcome back, The Register' :)

  43. Andy E
    Facepalm

    Virgin bloody Media

    Still can't access El Reg from any PC or Mac connected to Virgin Media's cable network. The question is do I wan't to waste several hours trying to convince them they have a problem that will not be solved by me rebooting the router and/or the PC?

  44. anarchic-teapot

    +1

    to all the welcomebacks.

    I followed the sad tale on Twitter and watched the wave of replication worldwide as the thing spread and subsided. Fascinating to watch, not quite as gripping when you try to describe it to someone else those. Shame.

  45. Anonymous Coward
    Anonymous Coward

    Wear an extra condom

    Been using Open DNS and Comodo DNS then changed to Norton DNS after seeing this review. Not quite apples and oranges I know but still a fruity topic and worth mentioning as an extra layer of protection for professionals and small businesses rather than some of you big and clever boys and girls out there.

    http://www.youtube.com/watch?v=6OY6v90BfQg

  46. Chris Evans
    FAIL

    Fail by El Reg!

    Like many I couldn't access El Reg all day Monday (Except via Googles cache) But www.reghardware.com had nothing informing us of the situation on their front page, Doh!

    Access via 72.3.246.59 or 212.100.234.54 also failed

    1. Drewc (Written by Reg staff) Gold badge

      Re: Fail by El Reg!

      access via 72.3.246.59 will fail, but updating your DNS to 72.3.246.59 would work...

      But yes, good point about Reg Hardware. Every little helps!

  47. JonathanGael

    turkish hackers

    Nothing is impossible, especially if sloppy programming caused the vulnerability which enabled an SQL injection attack. If we look at the bigger picture, this type of hacking tool is just another form of malware. We offer that Ether2 will enable a path to ensemble computing, where according to Intel research, we will have a higher sensitivity to malware, stronger neighborhood trust models leading to self configuration, and the ability for servers to collaborate in order to defend the network. Secondarily, if it was a DoS attack designed to take the server down by overflowing the buffer, then the fact that nodes can share compute power (basically giving any LAN supercomputing cluster capabilities) would allow load balancing between servers at the edge of the network so the attack couldn’t take hold, and the offending IP addresses could be red flagged, ports blocked, etc. The question about how they got in must be answered. If they sneaked by the session border controller in an encrypted media packet for say a VoIP of video flow, we’ll be running a proprietary watermarking technique to render the executable code inoperable. Then there is the issue of deep packet inspection getting overloaded at the gateway, and Ether2 is 100% distributed so the DPI load would also be running in distributed network chips, as opposed to gateway flooding. In short, we take a more global view on the security issues in networks, and when the network architecture resembles cable TV, it will be a paradigm shift for security.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019