June 10, 2008

Comcast’s DNS records hijacked, redirect to hacked page

May 29th, 2008

Posted by Dancho Danchev

For a couple of hours yesterday, Comcast’s Internet Portal (comcast.net) had its DNS records hijacked and a defaced webdo you need a prescription for propecia DNS records hijacked”>Comcast’s DNS records hijacked page was loading from third-party domains. Further investigation into this incident reveals a connection between the group responsible for Comcast’s DNS hijacking and previous incidents such as the  defacements of Justin Timberlake, Hilary Duff and Tila Tequila’s MySpace profiles. Comcast.net wasn’t hacked, its DNS records got hijacked, so whenever someone visited comcast.net, the defaced page was loading from different servers. Let’s assess the incident by taking a look at the way Comcast’s DNS records changed yesterday, find out who’s behind it, and how a couple of hours later Comcast restored access to its domain.

On 28-May-2008 23:05:43 EDT Comcast.net’s WHOIS records were hijacked, and were returning the following information :

Administrative Contact:
Domain Registrations, Comcast
kryogenicsdefiant@gmail.com
Defiant still raping 2k8 ebk
69 dick tard lane
dildo room
PHILADELPHIA, PA 19103
US
4206661870 fax: 6664200187

During that time, the page used in the defacement was loading from two different locations, namely, freewebs.com /buttpussy69 and freewebs.com /kryogeniks911 which continue returning the message :

KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven

Due to the changed DNS records, comcast.net was also unreachable for a  certain period of time, and within the next couple of hours upon Comcast noticing the incident and taking actions to restore access to their domain, a “Web Site Under Construction” message was appearing.

Comcast’s DNS records hijacked

Comcast’s original DNS records returned the their original state on 29-May-2008 01:18:02 EDT :

Administrative Contact:
Domain Registrations, Comcast
domregadmin@comcastonline.com
Comcast Cable Communications Mgmt. LLC
One Comcast Center
40th Fl.
PHILADELPHIA, PA 19103
US
215-286-8665 fax: 6664200187

The hijacking was also picked up by uptime monitoring services, with the longest downtime for the Comcast.net domain for the past three years (98.29%) or 18 minutes :

Comcast’s DNS records hijacked

Tracking down the DNS hijackers using the message left, leads to the well known Kryogeniks group (kryogeniks.org) , elul21 (username.com/tmp) as another web site defacer part of the WINGS Hacking Team, next to CoLL1er.

Investigation is ongoing, details will posted once more data is gathered.

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis.

Filed under internet, security by al

Permalink • Print • Comment

Leave a comment

You must be logged in to post a comment.

Made with WordPress and a search engine optimized WordPress theme • Sky Gold skin by Denis de Bernardy