Comcast's DNS records hijacked, redirect to hacked page

Comcast's DNS records hijacked, redirect to hacked page

Summary: For a couple of hours yesterday, Comcast's Internet Portal (comcast.net) had its DNS records hijacked and a defaced web page was loading from third-party domains.

SHARE:
TOPICS: Networking
32

For a couple of hours yesterday, Comcast's Internet Portal (comcast.net) had its DNS records hijacked and a defaced webComcastÂ’s DNS records hijacked page was loading from third-party domains. Further investigation into this incident reveals a connection between the group responsible for Comcast's DNS hijacking and previous incidents such as the  defacements of Justin Timberlake, Hilary Duff and Tila Tequila's MySpace profiles. Comcast.net wasn't hacked, its DNS records got hijacked, so whenever someone visited comcast.net, the defaced page was loading from different servers. Let's assess the incident by taking a look at the way Comcast's DNS records changed yesterday, find out who's behind it, and how a couple of hours later Comcast restored access to its domain.

On 28-May-2008 23:05:43 EDT Comcast.net's WHOIS records were hijacked, and were returning the following information :

Administrative Contact: Domain Registrations, Comcast kryogenicsdefiant@gmail.com Defiant still raping 2k8 ebk 69 dick tard lane dildo room PHILADELPHIA, PA 19103 US 4206661870 fax: 6664200187

During that time, the page used in the defacement was loading from two different locations, namely, freewebs.com /buttpussy69 and freewebs.com /kryogeniks911 which continue returning the message :

KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven

Due to the changed DNS records, comcast.net was also unreachable for a  certain period of time, and within the next couple of hours upon Comcast noticing the incident and taking actions to restore access to their domain, a "Web Site Under Construction" message was appearing.

ComcastÂ’s DNS records hijacked

Comcast's original DNS records returned the their original state on 29-May-2008 01:18:02 EDT :

Administrative Contact: Domain Registrations, Comcast domregadmin@comcastonline.com Comcast Cable Communications Mgmt. LLC One Comcast Center 40th Fl. PHILADELPHIA, PA 19103 US 215-286-8665 fax: 6664200187

The hijacking was also picked up by uptime monitoring services, with the longest downtime for the Comcast.net domain for the past three years (98.29%) or 18 minutes :

ComcastÂ’s DNS records hijacked

ComcastÂ’s DNS records hijacked

Tracking down the DNS hijackers using the message left, leads to the well known Kryogeniks group (kryogeniks.org) , elul21 (username.com/tmp) as another web site defacer part of the WINGS Hacking Team, next to CoLL1er.

Investigation is ongoing, details will posted once more data is gathered.

Topic: Networking

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • Pity....

    Coulnd't have happened to a nicer company.
    MGP2
    • Re: Pity....

      It can obviously happen to any company and in this second we're not even talking about a second tier domain registrar, but one of the major ones.
      ddanchev
    • Re: Pity....

      It's not the company that people are worried about. It's the company's users. I'm one of those users.
      Steve Goldman
  • So how would this have effected e-mails

    to Comcast subscribers? Somehow I doubt the hijackers would have been generous enough to have left the MX record alone.
    Michael Kelly
    • So how would this have affected e-mails

      This kind of attack (by my recollection) usually is more about showing that it can be done and embarrasing the big corporation than actually causing a problem for end users. Even though nothing is said in any story I have found (and no way Comcast would admit anything) I would guess the MX record wasn't touched.
      The biggest impact on mail users would have been that they couldn't get to their email through the Comcast.net portal.
      wreid77
      • It's more than that.

        [ye@gx240 ~]$ nslookup -type=mx comcast.net
        ;; connection timed out; no servers could be reached

        [ye@gx240 ~]$ date
        Thu May 29 14:32:55 MDT 2008

        Without MX records no one at comcast.net can receive e-mail.
        ye
        • Re: It's more than that

          I know that without an MX users can't receive email, but...where did the information change? Was in on Comcast's DNS or somewhere else?
          It seems like it would have to have been on the authoritative server to make such a widespread problem.

          If it were a case of setting up your own DNS server and running a man in the middle for connections to the authoritative server then yes the entire zone would have been replaced. If the attack was changing data on the official server then the MX could very well have been preserved.

          I don't know the answers to the questions I'm asking, but I am competant enough to think beyond no MX means no mail.
          wreid77
          • You said, and I quote:

            [i]I would guess the MX record wasn't touched. The biggest impact on mail users would have been that they couldn't get to their email through the Comcast.net portal.[/i]

            I don't know if the MX record was touched or not. But it's not resolveable so the last sentence is wrong. One cannot receive e-mail at comcast.net right now even though the portal is accessible.
            ye
          • Yes

            Only the DNS (tells your browser which server to request the URL from) was changed, no actually data or security was compromised.
            ZachE84
          • Why are you telling me this?

            .
            ye
          • Re: Yes

            Sticking to some core information principles :

            http://en.wikipedia.org/wiki/Image:CIA_triad.png

            the availability of the data was successfully attacked.
            ddanchev
    • So how would this have effected e-mails

      Actually, once the "website under construction" message came up, anybody with Windows 2000 was able to access the primary web page, as well as email, immediately (I'm still one of those.)
      However, anybody running Windows XP, had to wait until the following day, in order to be able to access everything normally.
      rcander@...
  • Network Solutions...

    has realy no protection mechanism to protect those who register domains through them. Hack the account password and changes, even transfer of ownership are very easy. I know Godaddy sends an e-mail any time changes are made to any of the domains I have registered there. I can't believe NS didn't send out some kind of confirmation e-mail to Comcast when the changes were made. They probably did and the registered Admin paid no attention.
    bjbrock
    • Re: Network Solutions...

      This is a very good point given someone socially engineered Network Solutions by impersonating Comcast, and requesting the accounting data from Network Solutions. Which is what I think happened.
      ddanchev
  • Musta been all those bit torrent users who were chewing up bandwidth....

    One good throttle deserves another. :-D
    ThePrairiePrankster
    • Re: Musta been all those bit torrent users who were chewing up bandwidth...

      TorrentFreak are speculating on the same possibility :

      http://torrentfreak.com/comcast-hacked-in-bittorrent-throttling-packback-080529/
      ddanchev
  • RE: Comcast's DNS records hijacked, redirect to hacked page

    Tell us the rest of the story...how could this even be done? Thanks.

    Great story.
    ZachE84
    • re: Comcast's DNS records hijacked, redirect to hacked page

      " Great story. "

      Why is this a great story ?
      Has Comcast changed any of their practices ?
      No.
      Spraying graffiti on a building is not a great story.
      Comcast changing their business model would be a great story.
      They care not one wit for their Customers because they have a quasi monopoly.
      What's [b]good[/b] for their customers, is good for [b]Comscam[/b].
      MowGreen
      • shoulda said...

        I agree! The redirected website should have been a message that screamed the feelings of frusterated consumers! What a way to get some attention.

        Sadly,a missed opportunity....
        blueguillemot@...
        • Re: shoulda said...

          Why a "missed opportunity"? The web is a buzz with the story, and despite that they weren't spreading a particular message, the outbreak of comments speculating on why they did is already taking place.
          ddanchev