Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > NZ domainz got hacked?

Reply
Thread Tools

NZ domainz got hacked?

 
 
Jack Spratt
Guest
Posts: n/a
 
      05-17-2009
"Party Animal" <(E-Mail Removed)> wrote in message
news:guogbc$r1h$(E-Mail Removed)...
> Jack Spratt wrote:
>> "Party Animal" <(E-Mail Removed)> wrote in message
>> news:guofnb$qf9$(E-Mail Removed)...
>>> Jack Spratt wrote:
>>>
>>>>
>>>> So it's official. Not only is it more popular than it's Open Source
>>>> counterparts but information and support is more easily found.
>>>>
>>> MySQL is open source.
>>>
>>> Open mouth.
>>> Change feet.

>>
>>
>>
>> If you unsnip what I wrote you may see that is exactly what I said.
>> I referred to MS SQL Server and it's open source counterparts (mysql and
>> postgresql)
>>
>> Here is the relevant part again so you can read it while putting both
>> feet in.
>>
>>> Most SQL Injection attacks are against MS SQL server.
>>>
>>> Google hits for "MySQL SQL Injection" gives 617,000 hits, for
>>> "PostgreSQL SQL Injection" gives 109,000 hits and for "MS SQL Injection"
>>> gives 948,000 hits.

>>
>>

> Sorry
> Mmmmmmffffffffff
> <thud>






 
Reply With Quote
 
 
 
 
Enkidu
Guest
Posts: n/a
 
      05-17-2009
Jack Spratt wrote:
> "Enkidu" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Dave Doe wrote:
>>> In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)
>>> says...
>>>> Dave Doe wrote:
>>>>> In article <(E-Mail Removed)> ,
>>>>> (E-Mail Removed) says...
>>>>>> In article <4a0b379a$(E-Mail Removed)>,
>>>>>> (E-Mail Removed) says...
>>>>>>> Dave Doe wrote:
>>>>>>>> In article <c97674c4-30b7-470e-b3ea-21f8107ebb31
>>>>>>>> @y10g2000prc.googlegroups.com>, (E-Mail Removed)
>>>>>>>> says...
>>>>>>>>> I seem to recall a while back that someone commented
>>>>>>>>> about being unable to access Domainz....now I get a email
>>>>>>>>> off them saying they have changed my password....after a
>>>>>>>>> "security review"...
>>>>>>>>>
>>>>>>>>> yeah right.....
>>>>>>>> Perhaps Lawrence is in charge of DomainZ hackable Linux
>>>>>>>> servers - just simple SQL injection IIRC, got the DNS
>>>>>>>> records for several "big" NZ sites (not just msn) and
>>>>>>>> redirected them.
>>>>>>>>
>>>>>>> DomainZ runs Windows servers. Front end is IIS 6.0
>>>>>> They didn't hack those. They hacked the DNS servers, IIRC.
>>>>> Here's some more info for yer...
>>>>>
>>>>> http://www.zone-h.org/news/id/4708
>>>>>
>>>>> Looks like they hacked cpanel or somethin.
>>>>>
>>>> Yeah, the DNS servers themselves were not hacked from that
>>>> description. "SQL Injection" smells of MS SQL Server.
>>>
>>> ??? - how do you work that one out.
>>>

>> Most SQL Injection attacks are against MS SQL server.
>>
>> Google hits for "MySQL SQL Injection" gives 617,000 hits, for
>> "PostgreSQL SQL Injection" gives 109,000 hits and for "MS SQL
>> Injection" gives 948,000 hits.

>
> So it's official. Not only is it more popular than it's Open Source
> counterparts but information and support is more easily found.
>

Watch it JS. You are spinning so fast you are in danger of drilling a
hole in the ground.

Cheers,

Cliff

--

The Internet is interesting in that although the nicknames may change,
the same old personalities show through.
 
Reply With Quote
 
 
 
 
AD.
Guest
Posts: n/a
 
      05-17-2009
On May 17, 5:48*pm, Dave Doe <(E-Mail Removed)> wrote:
> > Why do you think it is on Linux?

>
> I've already posted the link, but...
>
> http://www.zone-h.org/mirror/id/8791343

<snip>
> http://www.zone-h.org/mirror/id/8791339
>
> Note the OS and web servers in those links above.


You are misreading that information. The phony servers (ie the ones
hosting the 'defaced' pages) were running Linux/Apache. These servers
are where you end up due to the phoney DNS records - not the Domainz
servers that were compromised, nor the platform the original sites
were.

zone-h tracks defacements and records what the server platform was.
Strictly speaking the sites in question weren't defaced. For a normal
defacement, they end up recording the web server platform that was
broken, but when the DNS is exploited the web server platform itself
isn't broken so what the 'defaced' site was running is meaningless.

Or to put it another way, why would live.co.nz be running Linux /
Apache anyway? The live.co.nz servers were never compromised.

>
> http://www.nbr.co.nz/article/microso...updated-101421
>
> Note the pointer to Domainz controlling Co, the Melbourne site - you
> said they run MS IIS. *Wrong, they run Apache...
>
> http://uptime.netcraft.com/up/graph?site=domainz.net.nz


You are misreading that too. Ignoring that it now (as of today) says
IIS 6 on Windows 2003, the previous platform that you assume is Apache
was F5 Big IP. They are hardware load balancers not web servers, and
would've passed the attack on to the backend web servers. According to
your page the last time Domainz ran Apache webservers on Linux was
2006.

Why or how would an Apache/Linux site use ASP for its pages?

> It appears to me that the DNS bug is in BIND. *Must be Microsoft BIND is
> it?


Huh? That is jumping to conclusions without any evidence.

From zone-h (the same site you linked to):

http://www.zone-h.org/news/id/4708

"This time they exploited a simple SQL Injection vulnerability to hack
the administration panel of the registrar, where they modified the DNS
records of the domains."

ie they took control of the web admin panel with a SQL injection
attack, and used the admin panels functionality to update the DNS
records. That is possible because the web admin panel is trusted to
edit the zone information.

How would BIND be vulnerable to SQL injection anyway?

>
> http://www.zdnet.com.au/news/securit...e-New-Zealand-
> sites/0,130061744,339296043,00.htm


That link was published early on before the details came out and
contains no real info about how it was done.

>
> http://www.theregister.co.uk/2008/08...hreat_remains/


And that link is about something else altogether. Cache poisoning
affects intermediate non authoritative DNS servers - this problem
affected the authoritative DNS servers hosting the .nz zone by
changing the actual records (not the cached lookups).

http://en.wikipedia.org/wiki/DNS_cache_poisoning

For it to have been cache poisoning it wouldn't have been the Domainz
DNS servers attacked, it would've been DNS forwarders at ISPs etc.
Which would only affect the people using those forwarders rather than
everyone.

So your only reason to suspect it was a BIND problem was because BIND
had a cache poisoning vulnerability last year? Never mind that this
problem wasn't cache poisoning, and everything else claims it was a
SQL injection attack on the admin panel?

Please don't be offended if I don't hire you as a security consultant.

--
Cheers
Anton
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Domainz hosted exchange. Anything better? Boppy NZ Computing 4 11-01-2008 04:45 AM
If you Got Questions? I bet We got Answers Leisure.201@gmail.com Javascript 1 04-28-2007 11:04 PM
got an idea stlava Case Modding 8 07-14-2005 08:39 AM
Domainz, and "outdated encryption methods" Steve Marshall NZ Computing 4 06-23-2005 05:16 AM
Domainz website John NZ Computing 4 07-06-2004 07:19 AM



Advertisments