Comcast's DNS records hijacked, redirect to hacked page

Summary:For a couple of hours yesterday, Comcast's Internet Portal ( had its DNS records hijacked and a defaced web page was loading from third-party domains.

For a couple of hours yesterday, Comcast's Internet Portal ( had its DNS records hijacked and a defaced web

ComcastÂ’s DNS records hijacked
page was loading from third-party domains. Further investigation into this incident reveals a connection between the group responsible for Comcast's DNS hijacking and previous incidents such as the  defacements of Justin Timberlake, Hilary Duff and Tila Tequila's MySpace profiles. wasn't hacked, its DNS records got hijacked, so whenever someone visited, the defaced page was loading from different servers. Let's assess the incident by taking a look at the way Comcast's DNS records changed yesterday, find out who's behind it, and how a couple of hours later Comcast restored access to its domain.

On 28-May-2008 23:05:43 EDT's WHOIS records were hijacked, and were returning the following information :

Administrative Contact: Domain Registrations, Comcast Defiant still raping 2k8 ebk 69 dick tard lane dildo room PHILADELPHIA, PA 19103 US 4206661870 fax: 6664200187

During that time, the page used in the defacement was loading from two different locations, namely, /buttpussy69 and /kryogeniks911 which continue returning the message :

KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven

Due to the changed DNS records, was also unreachable for a  certain period of time, and within the next couple of hours upon Comcast noticing the incident and taking actions to restore access to their domain, a "Web Site Under Construction" message was appearing.

ComcastÂ’s DNS records hijacked

Comcast's original DNS records returned the their original state on 29-May-2008 01:18:02 EDT :

Administrative Contact: Domain Registrations, Comcast Comcast Cable Communications Mgmt. LLC One Comcast Center 40th Fl. PHILADELPHIA, PA 19103 US 215-286-8665 fax: 6664200187

The hijacking was also picked up by uptime monitoring services, with the longest downtime for the domain for the past three years (98.29%) or 18 minutes :

ComcastÂ’s DNS records hijacked

ComcastÂ’s DNS records hijacked

Tracking down the DNS hijackers using the message left, leads to the well known Kryogeniks group ( , elul21 ( as another web site defacer part of the WINGS Hacking Team, next to CoLL1er.

Investigation is ongoing, details will posted once more data is gathered.

Topics: Networking


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.