You Are Here: Home » Industry News » Romanian Versions of Google, Yahoo Homepages Defaced by Algerian Hacker

Romanian Versions of Google, Yahoo Homepages Defaced by Algerian Hacker

Earlier today, the web pages associated with Google and Yahoo search pages have been hijacked to a defacement page. The page was up for more than one hour but is now fixed.

Preliminary investigation reveals that neither Google, nor Yahoo servers have been hacked or otherwise compromised. Instead, the attackers have changed the DNS records for the domains to point the domain names to a server in the Netherlands that also probably got hacked.

This appear to be the work of the same hackers who have breached into Pakistan’s most popular web services a couple of days ago. However, while the motivation was strictly political in Pakistan, the attackers did not provide any clue about the reason they attacked the Romanian services. The troubled state of society in the Middle East has given birth to a number of responses from digital activist groups, that end up attacking popular websites and dragging innocent users as collateral damage.

If you have visited the affected websites while they were compromised you are strongly advised to flush your DNS cache by typing ‘ipconfig /flushdns’ in Windows, ‘rndc flushname google.ro’ in Linux or Unix and ‘dscacheutil –flushcache’ in Mac OS X.

Update:

It appears that the rogue IP has been somehow snuck into the RoTLD DNS system, which lead it to be announced to all caching DNS servers of ISPs. What is extremely important is the fact that the IP was also cached by Google’s DNS  service (8.8.8.8 and 8.8.4.4). Some Internet service providers have already renewed their DNS cache for google.ro, while others are still serving the poisoned results.

About The Author

Senior E-Threat Analyst

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Number of Entries : 331

Comments (15)

  • ViRii

    .ro local time 11.58, accessing google.ro with ip from Luxembourg, still look down

    “By MCA-CRB

    Algerian Hacker…”

    with .ro ip, all is ok

    Reply
  • Bogdan Botezatu

    Hey there,

    The poisoning takes place at the ISP DNS cache level now. RoTLD returns the genuine IP. Let’s wait till the ISPs flush their cached entries.

    Reply
  • Adrian

    Any news about the ROTLD database being hacked yesterday?
    It is my understanding that they lost the (clear-text) passwords for .ro domains administration and they had to reset them

    As we speak, the ROTLD website is down (specifically https://domadmin.rotld.ro)

    Adrian

    Reply
    • Bogdan Botezatu

      Nope, nothing new from RNC yet, though we tried to contact them several times. Not sure about what happened, but if what you’re saying is true, things would be really messed up. I think they should really issue an official statement to clear the suspense :)

      Reply
  • Adrian

    I’m guessing they have hotter potatoes on their plates right now, than to release an official statement – maybe they’re just trying to contain&analyze the attack.

    The passwords reset could be just a preventive action, if they are not sure of the nature (and extent) of the breach… one thing is sure: yesterday several .ro domains could not be accessible on rotld.ro website (due to incorrect login credentials) and today the site is down for 6-7h already…

    May I say that ICI Bucuresti could at least place a “we’re working on this page” sign, so as we are not “welcomed” by a 404 :)

    Adrian

    Reply
  • Adrian

    That’s no surprise, everyone knew that rotld was hacked for 2-3 days now (except they didn’t bother telling us)
    Still, they’re kinda contradicting themselves: they admit to an attack and data alteration for ns info, but they still affirm that “the DNS servers were not affected” ?!

    One more runt:
    I believe this is the only country in the world where the card payment is done via:
    - sending via fax (?!) a form with all the details (name, address, id info, cc number, expiration date, everything)
    - a copy of the credit card, both sides !

    For everyone interested (ro language):
    http://rotld.ro/portal/site_media/downloads/credit-card-form_ro.txt

    That’s nice, isn’t it, I sleep sooo good at night when I think about all my credit card and personal info laying somewhere in a fax machine…

    Adrian

    Reply
  • Bogdan Botezatu

    I think they meant that the root server was not jacked in any way, as the flaw was present at the domains control panel. If the failure was with the root NS, the attacker would have had access to all .ro domains, regardless of registrar, as opposed to the current situation, where they seized control over the domains registered through RoTLD (or at least, that’s what I understood).

    The payment mechanism is really worthy of the 20th century, but probably saved them from a major incident now, if they had credit card data stored in the vulnerable database :)

    I hope they have that fax machine in a “no access” area and that those faxes are properly stored or at least, properly disposed of.

    Reply
  • Alex

    At last, ROTLD confirmed the hack. Milion dollar industry, poor security. Nice!

    Reply
    • Adrian

      And now, just to be sure, they’ve stop the website altogether
      Maybe for maintenance, maybe for re-resetting the passwords, maybe for cleanup, who knows…

      PS: Again with the 404, grrr

      Reply
  • Bogdan Botezatu

    I think they’re upgrading CentOS on the web server. The URL returns 403 and 404 arbitrarily :) Well’ at least we know that there’s somebody working hard in there.

    Reply
  • malware

    worst case scenario:
    all users that access .ro domain redirected to a client side exploit > few mills of people transformed in zombie

    “mca-crb” was a nice hacker
    after few clicks:
    5,536 of which 1,177 single ip and 4,359 mass defacements [source zone-h.org] in less then 2 years…

    btw, this was a virus, not a a deface:- :”very seriously face”:
    “Specialistii de la InfoMedia sunt foart eaproape de a va da remediul pentru virusul algerian “” care a afectat pagina google.ro”
    e-cafenea.ablog.ro/2012-11-28/mca-crb-algerian-hacker.html

    Reply
  • Bogdan Botezatu

    I agree, the worst case scenario would have had quite an impact. However, let’s be thankful that the hacker was either not interested in harming regular users, or did not have the necessary infrastructure to run active content to ~one mil concurrent users. It’s one thing to serve a GIF / PNG / whatever type of image he served and it’s another thing to run a database server / PHP / Apache and still withstand one million connections.

    MCA-CRB has quite some history in defacements. And, speaking about defacements, we all know this was a “virus”. It was running between the chair and the keyboard :).

    Reply

Leave a Comment

© 2012 Powered By Bitdefender

x
Loading...
Scroll to top