

Google.ie DNS was hacked (now fixed) - thepies
http://www.domainregistry.ie/index.php?option=com_content&view=article&whois=google.ie&id=86&Itemid=105&Search.x=0&Search.y=0
domain:       google.ie
descr:        Google, Inc
descr:        Body Corporate (Ltd,PLC,Company)
descr:        Registered Trade Mark Name
admin-c:      KR59-IEDR
tech-c:       CCA7-IEDR
registration: 21-March-2002
renewal:      21-March-2013
status:       Active
nserver:      ns1.farahatz.net
nserver:      ns2.farahatz.net
source:       IEDR
======
AlexMuir
Unfortunately last year Google Ireland barely broke even. A tiny €24mil profit
on a turnover of €12.5 BILLION [1]

Perhaps some charitable Irish taxpayer could sort their domain name out for
them?

1:
[http://www.irishtimes.com/newspaper/finance/2012/1006/122432...](http://www.irishtimes.com/newspaper/finance/2012/1006/1224324959631.html)

~~~
j_col
Not sure how that's relevant to this DNS issue?

~~~
overbroad
Not sure if it's relevant but one of the major "DNS providers" (that preceded
Google) also chooses to domicile their operations in Ireland. They could just
as well locate anywhere, but I doubt they chose Ireland for tax purposes. That
just wouldn't make sense, right?

~~~
stephengillie
Secondarily, the amount of internet services hosted in Dublin makes it a good
spot to host DNS servers too.

------
kiallmacinnes
# dig +short @8.8.8.8 google.ie (Google DNS #1)

74.125.132.94

# dig +short @8.8.4.4 google.ie (Google DNS #2)

74.125.132.94

# dig +short @208.67.222.222 google.ie (Open DNS #1)

119.235.27.219

# dig +short @208.67.220.220 google.ie (Open DNS #2)

119.235.27.219

# dig +short @ns1.farahatz.net google.ie

;; connection timed out; no servers could be reached

# dig +short @ns2.farahatz.net google.ie

;; connection timed out; no servers could be reached

# whois 74.125.132.94

...

NetName: GOOGLE

...

# whois 119.235.27.219

...

netname: LINTASLINK-ID

...

~~~
alexchamberlain
So, the Google DNS servers are returning the correct values? Is it definitely
Google's server which has been hacked?

~~~
unbeli
It's definitely NOT Google's servers hacked, since at least one other domain
(yahoo.ie) was affected.

~~~
kiallmacinnes
Ooo - Interesting.

I was about to say that points the finger at the IEDR, but.. "eMarkmonitor
Inc" are involved with them too..

# whois yahoo.ie

...

person: eMarkmonitor Inc

...

That basically means eMarkmonitor or the IEDR were hacked/had passwords
stolen.

~~~
dsl
Markmonitor handles all the ccTLDs (.ie, .co.uk, .de, etc) for almost all the
Fortune 500 companies. If they were hacked you'd see more than two changed .ie
domains.

------
bscanlan
$ dig +trace www.google.ie ... google.ie. 172800 IN NS ns1.farahatz.net.

google.ie. 172800 IN NS ns2.farahatz.net.

;; Received 79 bytes from 193.1.142.2#53(193.1.142.2) in 4 ms

www.google.ie. 14400 IN CNAME google.ie.

google.ie. 14400 IN A 119.235.27.219

google.ie. 86400 IN NS ns2.farahatz.net.

google.ie. 86400 IN NS ns1.farahatz.net.

$ whois 119.235.27.219

...

route: 119.235.16.0/20

descr: Route object of PT Inet Global Indo

descr: ISP

descr: Jakarta Barat

country: ID

origin: AS18351

mnt-by: MAINT-ID-INET

changed: hostmaster@idnic.net 20090211

source: APNIC

person: Santoso Halim

address: Pluit Permai 8 No.3A

address: Jakarta-Utara

address: Indonesia

country: ID

phone: +62-21-30047799

fax-no: +62-21-30047798

e-mail: hostmaster@inet.net.id

nic-hdl: SH1061-AP

mnt-by: MAINT-ID-INET

changed: halim@inet.net.id 20061020

source: APNIC

~~~
bscanlan
...and it's been repaired.

------
freehunter
[IPv6 Ready] Whois Search Results PDF Print E-mail

[Querying whois.domainregistry.ie] [whois.domainregistry.ie]

% You have issued 1000 queries today. You have 0 queries per rolling 1 hours.

% You have reached your 1 hour limit.

Looks like they're blocking lookups for google.ie

 __Edit - actually looks like they're not doing any lookups. Searching
anything gives the same error. I haven't done any lookups today for anything,
but it thinks I did 1000.

~~~
benmanns
`whois google.ie` returns

    
    
      % Rights restricted by copyright; http://iedr.ie/index.php/mnudomregs/mnudnssearch/96 
      % Do not remove this notice
    
      domain:       google.ie
      descr:        Google, Inc
      descr:        Body Corporate (Ltd,PLC,Company)
      descr:        Registered Trade Mark Name
      admin-c:      KR59-IEDR
      tech-c:       CCA7-IEDR
      registration: 21-March-2002
      renewal:      21-March-2013
      status:       Active
      nserver:      ns1.google.com  
      nserver:      ns2.google.com  
      nserver:      ns3.google.com  
      source:       IEDR
    
      person:       Kulpreet Rana
      nic-hdl:      KR59-IEDR
      source:       IEDR
    
      person:       eMarkmonitor Inc
      nic-hdl:      CCA7-IEDR
      source:       IEDR
    

Which looks like it could be cached information. Kulpreet Rana's LinkedIn
"also viewed" section seems to identify her as a Google lawyer. The new
nameservers are ns1.farahatz.net and ns2.farahatz.net.

------
toyg
If the likes of Google (tech-savvy, security-savvy, loads of cash) can't stay
safe, the problem is huge.

~~~
philjr
The IEDR works on a fax based authorisation system for a lot of procedures
which is low hanging fruit for an attacker. Any other type of compromise might
be more interesting so curious if they'll release how this happened.

~~~
kiallmacinnes
Actually, you can just log directly into the IEDR site to make these changes.

I've done this many times..

~~~
philjr
Just speculating on an attack vector that's pretty low-tech and open to abuse.

------
rolmos
This reminds me of Google Bolivia giving a certificate error because it points
to Google.com:

<https://www.google.bo/>

~~~
graue
It looks like the working URL is <https://www.google.com.bo/>

Found that out thanks to the technical details in Firefox's SSL error screen,
where it says:

"www.google.bo uses an invalid security certificate.

"The certificate is only valid for the following names: google.com ,
_.google.com ,_.youtube.com , youtube.com , _.youtube-nocookie.com , youtu.be
,_.ytimg.com , _.android.com , android.com ,_.googlecommerce.com ,
googlecommerce.com , _.url.google.com ,_.urchin.com , urchin.com , _.google-
analytics.com , google-analytics.com ,_.cloud.google.com , goo.gl , g.co ,
_.gstatic.com ,_.google.ac , ..." and then goes on to list an enormous number
of localized Google domains.

------
unbeli
yahoo.ie was hijacked too. Both are back to normal now, the incident duration
was about 1h.

------
anons2011
<http://www.whois.com/whois/google.ie>

shows

status: Active nserver: ns1.google.com nserver: ns2.google.com nserver:
ns3.google.com source: IEDR

Domaintools.com shows something else

<http://whois.domaintools.com/google.ie>

Something else that's worth a look at:
<http://host.robtex.com/ns1.farahatz.net.html#graph>

~~~
thepies
those results are likely cached

<http://www.opendns.com/support/cache/>

This would be loading the correct "hacked" entries now

google.ie 119.235.27.219

------
thepies
resolving to

nserver: ns1.farahatz.net nserver: ns2.farahatz.net

------
thepies
I noticed this as I was getting an error similar to

SSL received a record that exceeded the maximum permissible length

I then did a bit of checking.

I am using OpenDNS, which shows 119.235.27.219 as the IP now

Even when browser tries to redirect to google.com, it is hanging

The IEDR reloads the zonefile next at 5pm, although I suspect they may be a
bit quicker about it today...

------
wulczer
Interesting:

    
    
      $ dig +short @8.8.8.8 google.ie
      173.194.39.119
      173.194.39.127
      173.194.39.120
    
      $ dig +short @ns1.farahatz.net google.ie
      119.235.27.219
    
      $ whois 119.235.27.219
      (...)
      descr:          PT. TEKNOLOGI LINTASLINK
      (...)

------
edbloom
well that can't be good! domain not due to expire until 21 March 2013 so looks
like their dns records have been hijacked per the original submitter. A
records are still going to google for me right now.

------
bashzor
I'm sorry but what exactly indicates that it's hacked? It says it belongs to
Google Inc, the nameservers end in .google.com, what's wrong here?

~~~
Kudos
The story was posted 2 hours ago, do you think that might be enough time for
them to have changed the nameservers back?

~~~
bashzor
Oh, then perhaps it should have linked to a cached page. Now it's just
confusing...

------
aliks
Please Google dont F __with - white Seo

