|
DNS for the Malaysian copy of Google (Google.com.my) got appearanty hijacked. Right now, the hostnames google.com.my and www.google.com.my point to a host in Canada (142.4.211.228). (thx Alex for capturing the screen shot. My system would not allow me to connect to the IP address anymore). The NS records point to servers that do not appear to be "genuine" as well. Before, the NS records pointed to ns1.google.com and ns2.google.com, which are also authoritative for google.com. Now they point to sdns1.ovh.ca and ks4003824.ip-142-4-211.net . The whois information does not reflect that this is a google domain, but it didn't change recently and the site used to host a copy of Google's homepage according to archive.org. It is very much possible that Google uses a third party to operate part of its Malaysia site. Update (via Twitter from @TheBackpackr): " We're the official co managing the domain for google.com.my @GoogleMsia. We are liaising with MYNIC on the DNS change." The same group behind this attack also claims to have been successful against other Google country level sites (Burundi and Kenia) recently.
If you haven't yet: start monitoring your DNS data! A quick minimum script to do so in 5 minutes (just cron it... )
#!/bin/sh
TLD='edu';
DOMAIN='sans.edu';
ADMIN='your email';
ns=`dig +short NS $TLD | tail -1`
dig NS $DOMAIN @$ns | grep 'IN\tNS' | grep -v '^;' | sort > .$DOMAIN.new
if [ -f .$DOMAIN.old ]; then
if ! cmp -s .$DOMAIN.old .$DOMAIN.new; then
cat .$DOMAIN.new | mail -s "Possible $DOMAIN hijack" $ADMIN
echo possible $DOMAIN hijack
fi
fi
mv .$DOMAIN.new .$DOMAIN.old
(and please change the variable at the top ;-) )
------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4479 Posts ISC Handler Oct 10th 2013 |
| Thread locked Subscribe |
Oct 10th 2013 8 years ago |
|
I had to change the line
dig NS $DOMAIN @$ns | grep 'IN\tNS' | grep -v '^;' | sort > .$DOMAIN.new to dig NS $DOMAIN @$ns | grep -P 'IN\tNS' | grep -v '^;' | sort > .$DOMAIN.new before I got any output. |
Jasey 93 Posts |
| Quote |
Oct 10th 2013 8 years ago |
|
hm. worked for me as above. What OS? (I ran my code on OS X), maybe a different version of grep?
|
Johannes 4479 Posts ISC Handler |
| Quote |
Oct 10th 2013 8 years ago |
|
On Redhat the '-P' is needed because you used a Perl regular expression.
|
Johannes 1 Posts |
| Quote |
Oct 11th 2013 8 years ago |
|
I had to change
dig NS $DOMAIN @$ns | grep 'IN\tNS' | grep -v '^;' | sort > .$DOMAIN.new to dig NS $DOMAIN | grep -P 'IN\tNS' | grep -v '^;' | sort > .$DOMAIN.new to get it to work on a Debian based distro; DiG 9.8.4-rpz2+rl005.12-P1 |
Chris 6 Posts |
| Quote |
Oct 11th 2013 8 years ago |
|
Also, some results are going to differ due to the DNS provider (cloudflare for example) or dig itself so it could be worthwhile to cut the expected field so that a comparison of the nameserver hostname itself is only what is being compared.
|
Chris 6 Posts |
| Quote |
Oct 11th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
