On 9 October 2012, those who tried to visit Google.ie and Yahoo.ie were sent
to an Indonesian webserver controlled by hackers.
After having investigated the security incident, the IE Domain Registry (IEDR)
confirmed on November 2012 that unauthorised change had been made to the two .ie
domains on an independent Registrar’s account which resulted in a change of DNS
nameservers.
Nameservers ensure that when users visit a certain domain, they are pointed to
the correct website on the correct server. In this case, users, instead of being
directed towards Google.ie and Yahoo.ie, were redirected to a fraudulent server.
The “hack” page was signed by Hmei7? who is apparently an Indonesian hacker
whose “signature” has appeared on thousands of websites defacements, including
attacks against Asus and Siemens.
According to IEDR, for a 25 days period starting with 11 September 2012, “the
public-facing web server of the IEDR was subjected to repeated attempts at
unauthorised access from external sources”. The incident occurred because the
hacker had succeeded in exploiting a Joomla (content management system installed
on the IEDR website) plugin, uploading malicious PHP web scripts. “PHP scripts
were then used to access a backend database and this database access
subsequently provided access to the IEDR control panel and permitted
unauthorised modifications to an account,” says IEDR statement.
“Luckily there haven’t been any reports of any malware or viruses coming from
the two websites. The sites were timing out and we suspect the hacker’s
webservers were overwhelmed; they couldn’t cope with the volume of traffic
Google and Yahoo would normally receive. Luckily, the IEDR were quick to restore
the correct DNS nameservers on both the domain name and minimise the disruption
caused. Luckily, other websites like Microsoft.ie which is also managed by
MarkMonitor were not affected. It’s all very lucky. It is a security disaster
but it could have been much worse. If website visitors had been infected with
malware, Google, Yahoo, MarkMonitor and the IEDR could have been dealing with a
security catastrophe,” stated Peter Armstrong from Irish webhosting provider
Spiral Hosting.
IEDR also confirmed that a criminal investigation by the Gardai Bureau of Fraud
Investigation would continue and assured that a recently appointed Technical
Services Manager would give more attention to security policies, processes and
procedures at the IE Domain Registry. The IEDR’s Joomla website was replaced on
26 October with a new website built using the Drupal content management system
which was however criticised for its design and lack of a WHOIS lookup facility.
IEDR replied that their priority had been to restore secure services and that
they would deal with the other issues in the next future.
Investigation concludes IE Domain Registry website was exploited (9.11.2012)
http://www.domainregistrar.ie/investigation-concludes-ie-domain-registry-website-was-exploited/
Google.ie and Yahoo.ie unavailable after “unauthorised change” to
nameservers (9.10.2012)
http://sociable.co/web/google-ie-and-yahoo-ie-unavailable-after-unauthorised-change-of-nameservers/
Scenes from the history of the IEDR (12.11.2012)
http://www.tjmcintyre.com/2012/11/scenes-from-history-of-iedr.html
Google.ie Hijacked? (9.11.2012)
http://technology.ie/google-ie-hijacked/
Source: EDRi
No comments:
Post a Comment