[afnog] [AfrICANN-discuss] Google blames DNS insecurity for Web site defacements

Dr Paulos Nyirenda paulos at sdnp.org.mw
Mon May 18 08:19:24 UTC 2009


Greetings from Malawi.

We also saw attempts to alter DNS records on the .mw ccTLD on 13 May 
2009 around midnight Malawi time. Attempts were made to alter DNS 
records at the registry for 23 domains linked to major brands 
including those listed by SM here. The attack attempt was on the SQL 
server but they did not manage to alter our DNS.

I would also like to confirm that this does not seem to be a case of 
DNS cache poisoning, it was an SQL level attack attempt on the 
registry.

The attempt at .mw was to change the nameservers to hosts with names 
of the form - crackers*.homelinux.com - where * is empty or an 
integer. We saw the attack as coming from or via two or more networks 
including those with network names: (a) *fdcservers on ARIN and (b) 
TurkTelekom on RIPE.

Hope this gives additional technical information.

Regards,

Paulos
======================
Dr Paulos B Nyirenda
.mw ccTLD
http://www.registrar.mw


On 17 May 2009 at 13:58, SM wrote:

> At 02:42 17-05-2009, Calvin Browne wrote:
> >I agree with this - the release is just way too short on details to
> >understand what went wrong here.
> >More details are needed.
> 
> There are reports that the following web sites were affected:
> 
>   www.google.co.ma
> 
>   www.aol.ug
>   www.bmw.co.ug
>   www.cisco.co.ug
>   www.cnn.co.ug
>   www.defenceuganda.mil.ug
>   www.google.ug
>   www.hotmail.ug
>   www.hotmail.co.ug
>   www.microsoft.ug
>   www.orange.ug
>   www.toshiba.co.ug
> 
> The nameservers for google.co.ma were changed on 9th May.  The domain 
> resolved to a different IP address.  That brought visitors to a web 
> site which wasn't hosted by Google.  The .ug problem occurred between 
> 11 May and 13 May.  This is not a case of DNS cache 
> poisoning.  DNSSEC does not offer any protection against SQL injection attacks.
> 
> Regards,
> -sm 
> 
> _______________________________________________
> AfrICANN mailing list
> AfrICANN at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/africann





More information about the afnog mailing list