ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Comcast's DNS records hijacked, redirect to hacked page

By | May 29, 2008, 10:08am PDT

Summary: For a couple of hours yesterday, Comcast’s Internet Portal (comcast.net) had its DNS records hijacked and a defaced web page was loading from third-party domains. Further investigation into this incident reveals a connection between the group responsible for Comcast’s DNS hijacking and previous incidents such as the  defacements of Justin Timberlake, Hilary Duff and Tila [...]

For a couple of hours yesterday, Comcast’s Internet Portal (comcast.net) had its DNS records hijacked and a defaced webComcast’s DNS records hijacked page was loading from third-party domains. Further investigation into this incident reveals a connection between the group responsible for Comcast’s DNS hijacking and previous incidents such as the  defacements of Justin Timberlake, Hilary Duff and Tila Tequila’s MySpace profiles. Comcast.net wasn’t hacked, its DNS records got hijacked, so whenever someone visited comcast.net, the defaced page was loading from different servers. Let’s assess the incident by taking a look at the way Comcast’s DNS records changed yesterday, find out who’s behind it, and how a couple of hours later Comcast restored access to its domain.

On 28-May-2008 23:05:43 EDT Comcast.net’s WHOIS records were hijacked, and were returning the following information :

Administrative Contact:
Domain Registrations, Comcast
kryogenicsdefiant@gmail.com
Defiant still raping 2k8 ebk
69 dick tard lane
dildo room
PHILADELPHIA, PA 19103
US
4206661870 fax: 6664200187

During that time, the page used in the defacement was loading from two different locations, namely, freewebs.com /buttpussy69 and freewebs.com /kryogeniks911 which continue returning the message :

KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven

Due to the changed DNS records, comcast.net was also unreachable for a  certain period of time, and within the next couple of hours upon Comcast noticing the incident and taking actions to restore access to their domain, a “Web Site Under Construction” message was appearing.

Comcast’s DNS records hijacked

Comcast’s original DNS records returned the their original state on 29-May-2008 01:18:02 EDT :

Administrative Contact:
Domain Registrations, Comcast
domregadmin@comcastonline.com
Comcast Cable Communications Mgmt. LLC
One Comcast Center
40th Fl.
PHILADELPHIA, PA 19103
US
215-286-8665 fax: 6664200187

The hijacking was also picked up by uptime monitoring services, with the longest downtime for the Comcast.net domain for the past three years (98.29%) or 18 minutes :

Comcast’s DNS records hijacked

Comcast’s DNS records hijacked

Tracking down the DNS hijackers using the message left, leads to the well known Kryogeniks group (kryogeniks.org) , elul21 (username.com/tmp) as another web site defacer part of the WINGS Hacking Team, next to CoLL1er.

Investigation is ongoing, details will posted once more data is gathered.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Comcast, Kryogeniks, Web Site Defacement, Domain Hijacking, DNS Hijacking, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
32
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Comcast's DNS records hijacked, redirect to hacked page
qms_services@... 17th Jun 2008
Very Interesting and disturbing.

Terry Davis
Ann Arbor Michigan
View in thread
0 Votes
+ -
Pity....
MGP2 29th May 2008
Coulnd't have happened to a nicer company.
0 Votes
+ -
Contributr
Re: Pity....
ddanchev 29th May 2008
It can obviously happen to any company and in this second we're not even talking about a second tier domain registrar, but one of the major ones.
0 Votes
+ -
Re: Pity....
Steve Goldman 30th May 2008
It's not the company that people are worried about. It's the company's users. I'm one of those users.
0 Votes
+ -
So how would this have effected e-mails
Michael Kelly 29th May 2008
to Comcast subscribers? Somehow I doubt the hijackers would have been generous enough to have left the MX record alone.
0 Votes
+ -
So how would this have affected e-mails
wreid77 Updated - 29th May 2008
This kind of attack (by my recollection) usually is more about showing that it can be done and embarrasing the big corporation than actually causing a problem for end users. Even though nothing is said in any story I have found (and no way Comcast would admit anything) I would guess the MX record wasn't touched.
The biggest impact on mail users would have been that they couldn't get to their email through the Comcast.net portal.
0 Votes
+ -
It's more than that.
ye 29th May 2008
[ye@gx240 ~]$ nslookup -type=mx comcast.net
;; connection timed out; no servers could be reached

[ye@gx240 ~]$ date
Thu May 29 14:32:55 MDT 2008

Without MX records no one at comcast.net can receive e-mail.
0 Votes
+ -
Re: It's more than that
wreid77 29th May 2008
I know that without an MX users can't receive email, but...where did the information change? Was in on Comcast's DNS or somewhere else?
It seems like it would have to have been on the authoritative server to make such a widespread problem.

If it were a case of setting up your own DNS server and running a man in the middle for connections to the authoritative server then yes the entire zone would have been replaced. If the attack was changing data on the official server then the MX could very well have been preserved.

I don't know the answers to the questions I'm asking, but I am competant enough to think beyond no MX means no mail.
0 Votes
+ -
You said, and I quote:
ye 29th May 2008
I would guess the MX record wasn't touched. The biggest impact on mail users would have been that they couldn't get to their email through the Comcast.net portal.

I don't know if the MX record was touched or not. But it's not resolveable so the last sentence is wrong. One cannot receive e-mail at comcast.net right now even though the portal is accessible.
0 Votes
+ -
Yes
ZachE84 29th May 2008
Only the DNS (tells your browser which server to request the URL from) was changed, no actually data or security was compromised.
0 Votes
+ -
Why are you telling me this?
ye 29th May 2008
.
0 Votes
+ -
Contributr
Re: Yes
ddanchev 30th May 2008
Sticking to some core information principles :

http://en.wikipedia.org/wiki/Image:CIA_triad.png

the availability of the data was successfully attacked.
0 Votes
+ -
So how would this have effected e-mails
rcander@... 30th May 2008
Actually, once the "website under construction" message came up, anybody with Windows 2000 was able to access the primary web page, as well as email, immediately (I'm still one of those.)
However, anybody running Windows XP, had to wait until the following day, in order to be able to access everything normally.
0 Votes
+ -
Network Solutions...
bjbrock 29th May 2008
has realy no protection mechanism to protect those who register domains through them. Hack the account password and changes, even transfer of ownership are very easy. I know Godaddy sends an e-mail any time changes are made to any of the domains I have registered there. I can't believe NS didn't send out some kind of confirmation e-mail to Comcast when the changes were made. They probably did and the registered Admin paid no attention.
0 Votes
+ -
Contributr
Re: Network Solutions...
ddanchev 30th May 2008
This is a very good point given someone socially engineered Network Solutions by impersonating Comcast, and requesting the accounting data from Network Solutions. Which is what I think happened.
0 Votes
+ -
Musta been all those bit torrent users who were chewing up bandwidth....
ThePrairiePrankster 29th May 2008
One good throttle deserves another. :-D
0 Votes
+ -
RE: Comcast's DNS records hijacked, redirect to hacked page
ZachE84 29th May 2008
Tell us the rest of the story...how could this even be done? Thanks.

Great story.
0 Votes
+ -
re: Comcast's DNS records hijacked, redirect to hacked page
MowGreen 30th May 2008
" Great story. "

Why is this a great story ?
Has Comcast changed any of their practices ?
No.
Spraying graffiti on a building is not a great story.
Comcast changing their business model would be a great story.
They care not one wit for their Customers because they have a quasi monopoly.
What's good for their customers, is good for Comscam.
0 Votes
+ -
shoulda said...
blueguillemot@... 30th May 2008
I agree! The redirected website should have been a message that screamed the feelings of frusterated consumers! What a way to get some attention.

Sadly,a missed opportunity....
0 Votes
+ -
Contributr
Re: shoulda said...
ddanchev 30th May 2008
Why a "missed opportunity"? The web is a buzz with the story, and despite that they weren't spreading a particular message, the outbreak of comments speculating on why they did is already taking place.
0 Votes
+ -
because...
blueguillemot@... 30th May 2008
Missed oppurtunity because while there is alot of buzz about this, the buzz isn't as directed as it could be....
0 Votes
+ -
Contributr
re: Comcast's DNS records hijacked, redirect to hacked page
ddanchev 30th May 2008
It's a "great story" because it showcases that even high-profile domains can still be hijacked in 2008, something we haven't seen in a while.

Comparing the redirecton of comcast.net for three hours to a page where anything malicious could have been served and denying email service for the same period of time to everyone @comcast.net, next to graffiti on a building isn't the best example I can think of.

Perhaps the reason for this hijacking was due to what you're saying in your post. A big "fan club". And a big "fan club" hijacking such high profile site with the idea to have them even consider changing the practices you're referring to, is quite a story from my perspective.
0 Votes
+ -
RE: Comcast's DNS records hijacked, redirect to hacked page
petewillis 30th May 2008
i was unable to connect to comcast.net for over 18 hours, I don't know where that 18 minutes came from. Also I was able one time late wednesday night to access my email briefly before being sent to the site under construction. I now worry that my info and passwords might have been hacked and stolen? Should I be concerned?
0 Votes
+ -
RE: Comscams DNS records hijacked
JT82 30th May 2008
Well then simply change them. The more time you "worry" your passwords MAY have been comprimised (which may or may not be reasonable) the more time if they HAVE been..to work.
0 Votes
+ -
Contributr
RE: Comcast's DNS records hijacked, redirect to hacked page
ddanchev 30th May 2008
That was perhaps due to the fact that your haven't flushed your DNS, so that the cached and broken DNS entries were the ones you were trying to access. The 18 minutes come from a distributed DNS monitoring service, which provides the big picture. Consider changing your passwords whatsoever. In the worst case some incoming emails didn't make it through.
0 Votes
+ -
RE: Comcast's DNS records hijacked, redirect to hacked page
kmp612 30th May 2008
Came late to this story, so I didn't know...but--
Rec'd two forwarded emails via one of my lesser-used Comcast addresses this morning ~0700 Central. One had address similar to my actual, the other was nothing like anything I had.
Methinks Comcast is still cleaning up...
0 Votes
+ -
Comcast is not alone
IAmLegion20ll 30th May 2008
HostGator had a "breach" as well; a week and a half ago, they sent a full customer list email stating login creds must be changed. Blamed it on a flaw in their recent bill pay system that allowed past 'disgruntled' employees having potential access to all of their customers' FTP login creds - and required password change. I'm surprised this wasn't picked up by zdnet; seemed very fishy to me at the time, and still does.
0 Votes
+ -
RE: Comcast's DNS records hijacked, redirect to hacked page
wblacroix@... 31st May 2008
A few executions might slow this crap down.
0 Votes
+ -
Happen To Agree
EBathory 31st May 2008
I am sick and tired of hearing of various hijacks, all garden varieties types of new malware, the need for layer and layer of more protection etc. It is time to deal with these criminals as the international crime figures that they are.

I was recently told that the US government is employing previous hackers to work for them. This is an outrage. It is rewarding criminals instead of punishing them.

A bleeding heart attitude is entirely inappropriate. Punishment must be meted out so severely that future hackers will be so intimidated by the fact that there is far too much to lose to even begin to think of proceeding in their nefarious operations.

Take off the silk gloves.
0 Votes
+ -
bleeding heart?
donkeytroe 2nd Jun 2008
Enough cliche - It's not a 'bleeidng heart' mentality that leads our govt or business to employ people of questionable backgrounds. Hell, we raced the soviets to get as many Nazi scientists as we could after WW2, even though they were the ones making the rockets that rained down on our ally England.

It's expediency. It might be tasteless and dangerous (depending on how much freedom the individuals are given in performing their duties) but you can't pin this on 'liberalism' - which is what people associate with the so called 'Bleeding Heart' (Sacred Heart) icon.

It's not an overabundance of empathy that leads organizations to use criminals against criminals....cops don't care about their informants or moles, they use them (and sometimes get used by them in return) to get results. Whether those results are worth the trouble can be debated, but let's focus o nthe real issue instead of playing pin the blame on the conservative/liberal (take your pick).
0 Votes
+ -
Use other DNS servers ... its easy
pcguy777 2nd Jun 2008
my dns address normally is the same as my gateway... however ive had problems with comcast dns not resolving sometimes.

Here's an easy fix... just update your alterate dns settings with one of the root servers... 4.2.2.1 etc...

and you'll be fine
0 Votes
+ -
RE: Comcast's DNS records hijacked, redirect to hacked page
qms_services@... 17th Jun 2008
Very Interesting and disturbing.

Terry Davis
Ann Arbor Michigan

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix