IE Domain Registry confirms hijacking of the DNS nameservers
This article is also available in:
Deutsch: IE Domain Registry bestätigt Angriff auf DNS Nameserver
On 9 October 2012, those who tried to visit Google.ie and Yahoo.ie were sent to an Indonesian webserver controlled by hackers.
After having investigated the security incident, the IE Domain Registry (IEDR) confirmed on November 2012 that unauthorised change had been made to the two .ie domains on an independent Registrar’s account which resulted in a change of DNS nameservers.
Nameservers ensure that when users visit a certain domain, they are pointed to the correct website on the correct server. In this case, users, instead of being directed towards Google.ie and Yahoo.ie, were redirected to a fraudulent server. The “hack” page was signed by Hmei7? who is apparently an Indonesian hacker whose “signature” has appeared on thousands of websites defacements, including attacks against Asus and Siemens.
According to IEDR, for a 25 days period starting with 11 September 2012, “the public-facing web server of the IEDR was subjected to repeated attempts at unauthorised access from external sources”. The incident occurred because the hacker had succeeded in exploiting a Joomla (content management system installed on the IEDR website) plugin, uploading malicious PHP web scripts. “PHP scripts were then used to access a backend database and this database access subsequently provided access to the IEDR control panel and permitted unauthorised modifications to an account,” says IEDR statement.
“Luckily there haven’t been any reports of any malware or viruses coming from the two websites. The sites were timing out and we suspect the hacker’s webservers were overwhelmed; they couldn’t cope with the volume of traffic Google and Yahoo would normally receive. Luckily, the IEDR were quick to restore the correct DNS nameservers on both the domain name and minimise the disruption caused. Luckily, other websites like Microsoft.ie which is also managed by MarkMonitor were not affected. It’s all very lucky. It is a security disaster but it could have been much worse. If website visitors had been infected with malware, Google, Yahoo, MarkMonitor and the IEDR could have been dealing with a security catastrophe,” stated Peter Armstrong from Irish webhosting provider Spiral Hosting.
IEDR also confirmed that a criminal investigation by the Gardai Bureau of Fraud Investigation would continue and assured that a recently appointed Technical Services Manager would give more attention to security policies, processes and procedures at the IE Domain Registry. The IEDR’s Joomla website was replaced on 26 October with a new website built using the Drupal content management system which was however criticised for its design and lack of a WHOIS lookup facility. IEDR replied that their priority had been to restore secure services and that they would deal with the other issues in the next future.
Investigation concludes IE Domain Registry website was exploited (9.11.2012)
Google.ie and Yahoo.ie unavailable after “unauthorised change” to
Scenes from the history of the IEDR (12.11.2012)
Google.ie Hijacked? (9.11.2012)