Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Twitter outage via DNS hijacking - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Twitter outage via DNS hijacking

A number of diary readers have submitted that the popular micro blogging site, Twitter.com has been defaced this morning.

The twitter.com status page has the following report:

Update (11:28p): Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.

If we receive any more information concerning the outage, or how the hijacking occured, we shall update the diary during the day. If you have any additional information, please let us know via the contact form.

Update: The following screen grab shows the DNS hijacking as recorded via the PassiveDNS systems. The host www . mowjcamp . org is currently hosting the defacement.

Steve Hall

 

 Stephen

89 Posts
Dec 18th 2009
Thread locked Subscribe Dec 18th 2009
1 decade ago
Here's an image courtesy of the folks at hackitall, although I'm quite certain it will be everywhere across the news by the morning. "Iranian Cyber Army" claiming responsibility in very broken English.

http://i.imgur.com/Q1EgM.jpg
 hacks4pancakes

48 Posts
Quote Dec 18th 2009
1 decade ago
Just updated the diary to show what the results of the dns hijacking where.
Stephen

89 Posts
Quote Dec 18th 2009
1 decade ago
What are the result of all this. Should I assume that the defacer now has my user credentials ? Or was it only the frontpage that was defaced ?

The IT security professional part of me screams "change password change password"
 Povl H.

79 Posts
Quote Dec 18th 2009
1 decade ago
povlhp - neither, although you should always change your password ;) The DNS entries for twitter were changed to point at another site (mowjcamp) which hosted the defacement.
 Stephen

89 Posts
Quote Dec 18th 2009
1 decade ago
I've collected all the information which I could find "out there" in a blogpost: http://hype-free.blogspot.com/2009/12/twitter-hacked.html

One interesting thought experiment to perform is the following: what if the rogoue server would have responded to the TwitterAPI requests (especially the authentication requests)? How many people would have said to their twitter client: ignore the certificate error?
 Anonymous
Quote Dec 18th 2009
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!