For a couple of hours yesterday, Comcast's Internet Portal (comcast.net) had its DNS records hijacked and a defaced web page was loading from third-party domains. Further investigation into this incident reveals a connection between the group responsible for Comcast's DNS hijacking and previous incidents such as the defacements of Justin Timberlake, Hilary Duff and Tila Tequila's MySpace profiles. Comcast.net wasn't hacked, its DNS records got hijacked, so whenever someone visited comcast.net, the defaced page was loading from different servers. Let's assess the incident by taking a look at the way Comcast's DNS records changed yesterday, find out who's behind it, and how a couple of hours later Comcast restored access to its domain.
On 28-May-2008 23:05:43 EDT Comcast.net's WHOIS records were hijacked, and were returning the following information :
Administrative Contact: Domain Registrations, Comcast email@example.com Defiant still raping 2k8 ebk 69 dick tard lane dildo room PHILADELPHIA, PA 19103 US 4206661870 fax: 6664200187
During that time, the page used in the defacement was loading from two different locations, namely, freewebs.com /buttpussy69 and freewebs.com /kryogeniks911 which continue returning the message :
KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven
Due to the changed DNS records, comcast.net was also unreachable for a certain period of time, and within the next couple of hours upon Comcast noticing the incident and taking actions to restore access to their domain, a "Web Site Under Construction" message was appearing.
Comcast's original DNS records returned the their original state on 29-May-2008 01:18:02 EDT :
Administrative Contact: Domain Registrations, Comcast firstname.lastname@example.org Comcast Cable Communications Mgmt. LLC One Comcast Center 40th Fl. PHILADELPHIA, PA 19103 US 215-286-8665 fax: 6664200187
The hijacking was also picked up by uptime monitoring services, with the longest downtime for the Comcast.net domain for the past three years (98.29%) or 18 minutes :
Tracking down the DNS hijackers using the message left, leads to the well known Kryogeniks group (kryogeniks.org) , elul21 (username.com/tmp) as another web site defacer part of the WINGS Hacking Team, next to CoLL1er.
Investigation is ongoing, details will posted once more data is gathered.