Google.com.pk Hacked — Technical Details

Google.com.pk (Google Pakistan) website was hacked early morning today, and from the last several hours is still inaccessible. This domain gets all the traffic from Pakistan; people get redirected to it if a Pakistani IP opens Google.com.

Not only Google, other big names like Yahoo, Microsoft Pakistan and Apple are also apparently “hacked”. The domains Microsoft.pk, Yahoo.pk and Apple.pk remain inaccessible.

Turkish hacking group/individual “Eboz” has claimed responsibility by uploading a defaced page. The question, however is, were they all really “hacked“? Nope, not really. Let’s analyze a few things.

Performing a simple WHOIS lookup on Google.com.pk reveals the following DNS records, as of 9PM PST:

DNS records

name class type data time to live
google.com.pk IN A 127.0.0.1 3600s (01:00:00)
google.com.pk IN NS dns2.freehostia.com 3600s (01:00:00)
google.com.pk IN SOA
server: dns1.freehostia.com
email: support@freehostia.com
serial: 1353750918
refresh: 28800
retry: 7200
expire: 604800
minimum ttl: 86400
3600s (01:00:00)
google.com.pk IN NS dns1.freehostia.com 3600s (01:00:00)
google.com.pk IN MX
preference: 10
exchange: mbox.freehostia.com
3600s (01:00:00)

 

As you can see, the NS records, responsible for resolving a domain name to IP address have been changed freehostia.com’s nameservers. It’s a free web hosting provider, and Google, Apple or other affected big brands surely won’t be using a free hosting service!

What this reveals is that the hackers managed to take control of the domain registrar/registry and changed the DNS records. In this case, .pk domain names are handled by PKNIC.

It’s important to note that this doesn’t mean those hackers actually gained access servers of these companies. It’s highly unlikely! Rather, they just pointed the domain names to their own DNS records and people accessing these websites were redirected to the pages setup by hackers.

Google.com.pk is not opening because the IP address to which it points has been changed to 127.0.0.1. That’s a local loop IP address and if you try to open it, you just access your own computer’s port 80.

Published by

Ehtisham Siddiqui

Blogger and a techie. WordPress, cricket and aviation freak. Love traveling!

2 thoughts on “Google.com.pk Hacked — Technical Details”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s