Google.ie DNS was hacked (now fixed)

[+] AlexMuir|13 years ago|reply

Unfortunately last year Google Ireland barely broke even. A tiny €24mil profit on a turnover of €12.5 BILLION [1]

Perhaps some charitable Irish taxpayer could sort their domain name out for them?

1: http://www.irishtimes.com/newspaper/finance/2012/1006/122432...

[+] notlisted|13 years ago|reply

Haha. For those not in on the joke, see: http://en.wikipedia.org/wiki/Double_Irish_arrangement

[+] j_col|13 years ago|reply

Not sure how that's relevant to this DNS issue?

[+] angry-hacker|13 years ago|reply

'Double Irish With a Dutch Sandwich'

[+] freehunter|13 years ago|reply

[IPv6 Ready] Whois Search Results PDF Print E-mail

[Querying whois.domainregistry.ie] [whois.domainregistry.ie]

% You have issued 1000 queries today. You have 0 queries per rolling 1 hours.

% You have reached your 1 hour limit.

Looks like they're blocking lookups for google.ie

Edit - actually looks like they're not doing any lookups. Searching anything gives the same error. I haven't done any lookups today for anything, but it thinks I did 1000.

[+] benmanns|13 years ago|reply

`whois google.ie` returns

  % Rights restricted by copyright; http://iedr.ie/index.php/mnudomregs/mnudnssearch/96 
  % Do not remove this notice

  domain:       google.ie
  descr:        Google, Inc
  descr:        Body Corporate (Ltd,PLC,Company)
  descr:        Registered Trade Mark Name
  admin-c:      KR59-IEDR
  tech-c:       CCA7-IEDR
  registration: 21-March-2002
  renewal:      21-March-2013
  status:       Active
  nserver:      ns1.google.com  
  nserver:      ns2.google.com  
  nserver:      ns3.google.com  
  source:       IEDR

  person:       Kulpreet Rana
  nic-hdl:      KR59-IEDR
  source:       IEDR

  person:       eMarkmonitor Inc
  nic-hdl:      CCA7-IEDR
  source:       IEDR

Which looks like it could be cached information. Kulpreet Rana's LinkedIn "also viewed" section seems to identify her as a Google lawyer. The new nameservers are ns1.farahatz.net and ns2.farahatz.net.

[+] thepies|13 years ago|reply

just refresh, it said "10001 queries and -1 queries per rolling -1 hours" a minute ago

it seems like it's getting hammered now (the actual site iedr.ie)

[+] bscanlan|13 years ago|reply

$ dig +trace www.google.ie ... google.ie. 172800 IN NS ns1.farahatz.net.

google.ie. 172800 IN NS ns2.farahatz.net.

;; Received 79 bytes from 193.1.142.2#53(193.1.142.2) in 4 ms

www.google.ie. 14400 IN CNAME google.ie.

google.ie. 14400 IN A 119.235.27.219

google.ie. 86400 IN NS ns2.farahatz.net.

google.ie. 86400 IN NS ns1.farahatz.net.

$ whois 119.235.27.219

...

route: 119.235.16.0/20

descr: Route object of PT Inet Global Indo

descr: ISP

descr: Jakarta Barat

country: ID

origin: AS18351

mnt-by: MAINT-ID-INET

changed: [email protected] 20090211

source: APNIC

person: Santoso Halim

address: Pluit Permai 8 No.3A

address: Jakarta-Utara

address: Indonesia

country: ID

phone: +62-21-30047799

fax-no: +62-21-30047798

e-mail: [email protected]

nic-hdl: SH1061-AP

mnt-by: MAINT-ID-INET

changed: [email protected] 20061020

source: APNIC

[+] bscanlan|13 years ago|reply

...and it's been repaired.

[+] kiallmacinnes|13 years ago|reply

# dig +short @8.8.8.8 google.ie (Google DNS #1)

74.125.132.94

# dig +short @8.8.4.4 google.ie (Google DNS #2)

74.125.132.94

# dig +short @208.67.222.222 google.ie (Open DNS #1)

119.235.27.219

# dig +short @208.67.220.220 google.ie (Open DNS #2)

119.235.27.219

# dig +short @ns1.farahatz.net google.ie

;; connection timed out; no servers could be reached

# dig +short @ns2.farahatz.net google.ie

;; connection timed out; no servers could be reached

# whois 74.125.132.94

...

NetName: GOOGLE

...

# whois 119.235.27.219

...

netname: LINTASLINK-ID

...

[+] alexchamberlain|13 years ago|reply

So, the Google DNS servers are returning the correct values? Is it definitely Google's server which has been hacked?

[+] toyg|13 years ago|reply

If the likes of Google (tech-savvy, security-savvy, loads of cash) can't stay safe, the problem is huge.

[+] kiallmacinnes|13 years ago|reply

The fact that the fake nameservers were visible on iedr.ie means that it's likely the .ie TLD, or someone with the keys to google.ie (e.g. eMarkmonitor Inc) were the real cause..

[+] philjr|13 years ago|reply

The IEDR works on a fax based authorisation system for a lot of procedures which is low hanging fruit for an attacker. Any other type of compromise might be more interesting so curious if they'll release how this happened.

[+] rolmos|13 years ago|reply

This reminds me of Google Bolivia giving a certificate error because it points to Google.com:

https://www.google.bo/

[+] graue|13 years ago|reply

It looks like the working URL is https://www.google.com.bo/

Found that out thanks to the technical details in Firefox's SSL error screen, where it says:

"www.google.bo uses an invalid security certificate.

"The certificate is only valid for the following names: google.com , .google.com , .youtube.com , youtube.com , .youtube-nocookie.com , youtu.be , .ytimg.com , .android.com , android.com , .googlecommerce.com , googlecommerce.com , .url.google.com , .urchin.com , urchin.com , .google-analytics.com , google-analytics.com , .cloud.google.com , goo.gl , g.co , .gstatic.com , .google.ac , ..." and then goes on to list an enormous number of localized Google domains.

[+] unbeli|13 years ago|reply

yahoo.ie was hijacked too. Both are back to normal now, the incident duration was about 1h.

[+] JGNWW|13 years ago|reply

[deleted]

[+] anons2011|13 years ago|reply

http://www.whois.com/whois/google.ie

shows

status: Active nserver: ns1.google.com nserver: ns2.google.com nserver: ns3.google.com source: IEDR

Domaintools.com shows something else

http://whois.domaintools.com/google.ie

Something else that's worth a look at: http://host.robtex.com/ns1.farahatz.net.html#graph

[+] thepies|13 years ago|reply

those results are likely cached

http://www.opendns.com/support/cache/

This would be loading the correct "hacked" entries now

google.ie 119.235.27.219

[+] thepies|13 years ago|reply

resolving to

nserver: ns1.farahatz.net nserver: ns2.farahatz.net

[+] thepies|13 years ago|reply

I noticed this as I was getting an error similar to

SSL received a record that exceeded the maximum permissible length

I then did a bit of checking.

I am using OpenDNS, which shows 119.235.27.219 as the IP now

Even when browser tries to redirect to google.com, it is hanging

The IEDR reloads the zonefile next at 5pm, although I suspect they may be a bit quicker about it today...

[+] wulczer|13 years ago|reply

Interesting:

  $ dig +short @8.8.8.8 google.ie
  173.194.39.119
  173.194.39.127
  173.194.39.120

  $ dig +short @ns1.farahatz.net google.ie
  119.235.27.219

  $ whois 119.235.27.219
  (...)
  descr:          PT. TEKNOLOGI LINTASLINK
  (...)

[+] edbloom|13 years ago|reply

well that can't be good! domain not due to expire until 21 March 2013 so looks like their dns records have been hijacked per the original submitter. A records are still going to google for me right now.

[+] bashzor|13 years ago|reply

I'm sorry but what exactly indicates that it's hacked? It says it belongs to Google Inc, the nameservers end in .google.com, what's wrong here?

[+] Kudos|13 years ago|reply

The story was posted 2 hours ago, do you think that might be enough time for them to have changed the nameservers back?

[+] aliks|13 years ago|reply

Please Google dont F with - white Seo

35 comments