{"id":456,"date":"2008-06-10T18:23:00","date_gmt":"2008-06-10T23:23:00","guid":{"rendered":"http:\/\/alsplace.aldenbaker.com\/alsplace\/internet\/456\/comcast%e2%80%99s-dns-records-hijacked-redirect-to-hacked-page\/"},"modified":"2008-06-10T18:23:00","modified_gmt":"2008-06-10T23:23:00","slug":"comcast%e2%80%99s-dns-records-hijacked-redirect-to-hacked-page","status":"publish","type":"post","link":"http:\/\/alsplace.info\/?p=456","title":{"rendered":"Comcast\u2019s DNS records hijacked, redirect to hacked page"},"content":{"rendered":"\n\n

May 29th, 2008 <\/h4>\n

Posted by Dancho Danchev<\/p>\n

For a couple of hours yesterday, Comcast’s Internet Portal (comcast.net<\/a>) had its DNS records hijacked and a defaced webdo you need a prescription for propecia<\/a> DNS records hijacked”>\"Comcast’s<\/a> page was loading from third-party domains. Further investigation into this incident reveals a connection between the group responsible for Comcast’s DNS hijacking and previous incidents such as the  defacements of Justin Timberlake, Hilary Duff and Tila Tequila’s MySpace profiles<\/a>. Comcast.net wasn’t hacked, its DNS records got hijacked<\/a>, so whenever someone visited comcast.net, the defaced page was loading from different servers. Let’s assess the incident by taking a look at the way Comcast’s DNS records changed yesterday<\/a>, find out who’s behind it, and how a couple of hours later Comcast restored access to its domain.<\/p>\n

On 28-May-2008 23:05:43 EDT Comcast.net’s WHOIS records were hijacked, and were returning the following information :<\/p>\n

\n

Administrative Contact:
Domain Registrations, Comcast
kryogenicsdefiant@gmail.com
Defiant still raping 2k8 ebk
69 dick tard lane
dildo room
PHILADELPHIA, PA 19103
US
4206661870 fax: 6664200187<\/p>\n<\/blockquote>\n

During that time, the page used in the defacement was loading from two different locations, namely, freewebs.com \/buttpussy69<\/strong> and freewebs.com \/kryogeniks911<\/strong> which continue returning the message :<\/p>\n

\n

KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven<\/p>\n<\/blockquote>\n

Due to the changed DNS records, comcast.net was also unreachable for a  certain period of time, and within the next couple of hours upon Comcast noticing the incident and taking actions to restore access to their domain, a “Web Site Under Construction” message was appearing.<\/p>\n

\"Comcast’s<\/a><\/p>\n

Comcast’s original DNS records returned the their original state on 29-May-2008 01:18:02 EDT :<\/p>\n

\n

Administrative Contact:
Domain Registrations, Comcast
domregadmin@comcastonline.com
Comcast Cable Communications Mgmt. LLC
One Comcast Center
40th Fl.
PHILADELPHIA, PA 19103
US
215-286-8665 fax: 6664200187<\/p>\n<\/blockquote>\n

The hijacking was also picked up by uptime monitoring services, with the longest downtime for the Comcast.net domain for the past three years (98.29%) or 18 minutes :<\/p>\n

<\/a><\/p>\n

\"Comcast’s<\/a><\/p>\n

Tracking down the DNS hijackers using the message left, leads to the well known Kryogeniks group (kryogeniks.org<\/strong>) , elul21 (username.com\/tmp<\/strong>) as another web site defacer part of the WINGS Hacking Team, next to CoLL1er.<\/p>\n

Investigation is ongoing, details will posted once more data is gathered.<\/p>\n

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular security blog<\/a> sharing real-time threats intelligence data with the rest of the community on a daily basis.<\/div>\n\n
\nBookmark to:<\/em><\/strong><\/a>\n
\n
\n
\n
\nHide Sites<\/a>\n<\/div>\n<\/div>\n\n