IE Domain Registry confirms hijacking of the DNS nameservers

By EDRi · November 21, 2012

This article is also available in:
Deutsch: [IE Domain Registry bestätigt Angriff auf DNS Nameserver | https://www.unwatched.org/EDRigram_10.22_IE_Domain_Registry_bestaetigt_Angriff_auf_DNS_Nameserver?pk_campaign=edri&pk_kwd=20121107]

On 9 October 2012, those who tried to visit Google.ie and Yahoo.ie were
sent to an Indonesian webserver controlled by hackers.

After having investigated the security incident, the IE Domain Registry
(IEDR) confirmed on November 2012 that unauthorised change had been made
to the two .ie domains on an independent Registrar’s account which
resulted in a change of DNS nameservers.

Nameservers ensure that when users visit a certain domain, they are
pointed to the correct website on the correct server. In this case,
users, instead of being directed towards Google.ie and Yahoo.ie,
were redirected to a fraudulent server. The “hack” page was signed by
Hmei7? who is apparently an Indonesian hacker whose “signature” has
appeared on thousands of websites defacements, including attacks against
Asus and Siemens.

According to IEDR, for a 25 days period starting with 11 September 2012,
“the public-facing web server of the IEDR was subjected to repeated
attempts at unauthorised access from external sources”. The incident
occurred because the hacker had succeeded in exploiting a Joomla
(content management system installed on the IEDR website) plugin,
uploading malicious PHP web scripts. “PHP scripts were then used to
access a backend database and this database access subsequently provided
access to the IEDR control panel and permitted unauthorised
modifications to an account,” says IEDR statement.

“Luckily there haven’t been any reports of any malware or viruses coming
from the two websites. The sites were timing out and we suspect the
hacker’s webservers were overwhelmed; they couldn’t cope with the volume
of traffic Google and Yahoo would normally receive. Luckily, the IEDR
were quick to restore the correct DNS nameservers on both the domain
name and minimise the disruption caused. Luckily, other websites like
Microsoft.ie which is also managed by MarkMonitor were not affected.
It’s all very lucky. It is a security disaster but it could have been
much worse. If website visitors had been infected with malware, Google,
Yahoo, MarkMonitor and the IEDR could have been dealing with a security
catastrophe,” stated Peter Armstrong from Irish webhosting provider
Spiral Hosting.

IEDR also confirmed that a criminal investigation by the Gardai Bureau
of Fraud Investigation would continue and assured that a recently
appointed Technical Services Manager would give more attention to
security policies, processes and procedures at the IE Domain Registry.
The IEDR’s Joomla website was replaced on 26 October with a new website
built using the Drupal content management system which was however
criticised for its design and lack of a WHOIS lookup facility. IEDR
replied that their priority had been to restore secure services and
that they would deal with the other issues in the next future.

Investigation concludes IE Domain Registry website was exploited (9.11.2012)
http://www.domainregistrar.ie/investigation-concludes-ie-domain-registry-website-was-exploited/

Google.ie and Yahoo.ie unavailable after “unauthorised change” to
nameservers (9.10.2012)
http://sociable.co/web/google-ie-and-yahoo-ie-unavailable-after-unauthorised-change-of-nameservers/

Scenes from the history of the IEDR (12.11.2012)
http://www.tjmcintyre.com/2012/11/scenes-from-history-of-iedr.html

Google.ie Hijacked? (9.11.2012)

Google.ie Hijacked?