Google.com.pk (Google Pakistan) website was hacked early morning today, and from the last several hours is still inaccessible. This domain gets all the traffic from Pakistan; people get redirected to it if a Pakistani IP opens Google.com.
Not only Google, other big names like Yahoo, Microsoft Pakistan and Apple are also apparently “hacked”. The domains Microsoft.pk, Yahoo.pk and Apple.pk remain inaccessible.
Turkish hacking group/individual “Eboz” has claimed responsibility by uploading a defaced page. The question, however is, were they all really “hacked“? Nope, not really. Let’s analyze a few things.
Performing a simple WHOIS lookup on Google.com.pk reveals the following DNS records, as of 9PM PST:
DNS records
name | class | type | data | time to live | |||||||||||||||
google.com.pk | IN | A | 127.0.0.1 | 3600s | (01:00:00) | ||||||||||||||
google.com.pk | IN | NS | dns2.freehostia.com | 3600s | (01:00:00) | ||||||||||||||
google.com.pk | IN | SOA |
|
3600s | (01:00:00) | ||||||||||||||
google.com.pk | IN | NS | dns1.freehostia.com | 3600s | (01:00:00) | ||||||||||||||
google.com.pk | IN | MX |
|
3600s | (01:00:00) |
As you can see, the NS records, responsible for resolving a domain name to IP address have been changed freehostia.com’s nameservers. It’s a free web hosting provider, and Google, Apple or other affected big brands surely won’t be using a free hosting service!
What this reveals is that the hackers managed to take control of the domain registrar/registry and changed the DNS records. In this case, .pk domain names are handled by PKNIC.
It’s important to note that this doesn’t mean those hackers actually gained access servers of these companies. It’s highly unlikely! Rather, they just pointed the domain names to their own DNS records and people accessing these websites were redirected to the pages setup by hackers.
Google.com.pk is not opening because the IP address to which it points has been changed to 127.0.0.1. That’s a local loop IP address and if you try to open it, you just access your own computer’s port 80.
You just HAD to rain on that poor Turkish guy’s parade, didn’t you? Lol.
Just telling some facts 😛 DNS Hijacking is not too noobish either :p