The hack resulted in the home pages for Google.ro, Yahoo.ro, PayPal.ro and a couple of other Romanian sites being defaced and redirected. On the defacement, the attacker simply claimed to be Algerian and said “to be continued…”. Site defacements such as this have been common for more than a decade now, and hackers often brag about new defacements on various sites that track such attacks. But it’s relatively rare for a major site such as Google or Yahoo to fall victim to a defacement like this. Stefan Tanase, a senior security researcher at Kaspersky Lab, said the attack likely was accomplished via DNS poisoning, but there’s no way of telling at what level the poisoning was done. (via Romanian Google, Yahoo Home Pages Defaced | threatpost)
- “All we know is that Google’s public DNS servers (184.108.40.206 and 220.127.116.11) were resolving requests for google.ro and other major .RO websites to the IP address hosting the defacement page,” Tanase said. ”This basically means that everyone using Google’s public DNS servers in their network configuration could not access these domains. The problem gets even worse when you factor in that many organizations and even country-wide ISPs are relying on Google’s DNS servers to resolve requests.”
- A DNS cache poisoning attack can be done in a couple of ways, but the end result is that users who attempt to go to a site such as Google.ro will be redirected to a site controlled by the attacker. One common method for these attacks is for the attacker to spooof the IP address of the target site’s DNS servers and then enters an address for a server he controls. He can then direct victims to his server and deliver whatever content he chooses.