Image representing Google Search as depicted i...

Image via CrunchBase

It looks like Google.ie has been hijacked

The current whois record shows:

 whois google.ie

% Rights restricted by copyright; http://iedr.ie/index.php/mnudomregs/mnudnssearch/96
% Do not remove this notice

domain:       google.ie
descr:        Google, Inc
descr:        Body Corporate (Ltd,PLC,Company)
descr:        Registered Trade Mark Name
admin-c:      KR59-IEDR
tech-c:       CCA7-IEDR
registration: 21-March-2002
renewal:      21-March-2013
status:       Active
nserver:      ns1.farahatz.net  
nserver:      ns2.farahatz.net  
source:       IEDR

person:       Kulpreet Rana
nic-hdl:      KR59-IEDR
source:       IEDR

person:       eMarkmonitor Inc
nic-hdl:      CCA7-IEDR
source:       IEDR

So who is at fault here?

Google? IEDR? Or Mark Monitor?

What do you think?

UPDATE 14:15

Whois has reverted back to Google’s though it’ll probably take a while for people to see the change due to caching with their ISP’s resolvers etc.,

whois google.ie

% Rights restricted by copyright; http://iedr.ie/index.php/mnudomregs/mnudnssearch/96
% Do not remove this notice

domain:       google.ie
descr:        Google, Inc
descr:        Body Corporate (Ltd,PLC,Company)
descr:        Registered Trade Mark Name
admin-c:      KR59-IEDR
tech-c:       CCA7-IEDR
registration: 21-March-2002
renewal:      21-March-2013
status:       Active
nserver:      ns1.google.com
nserver:      ns2.google.com
nserver:      ns3.google.com
source:       IEDR

person:       Kulpreet Rana
nic-hdl:      KR59-IEDR
source:       IEDR

person:       eMarkmonitor Inc
nic-hdl:      CCA7-IEDR
source:       IEDR

 

Update 1525:

Just to clarify. The DNS was not “hacked”. The DNS servers were changed away from Google to somewhere else. This is a “hijack” not a DNS hack

BUT, the change was not authorised by Google, so someone either hacked into or social engineered their way into either IEDR or Mark Monitor in order to get the change made.

Update 1739:

Seemingly yahoo.ie was also hijacked today and the nameservers changed to the farahatz.net ones. These changes *appear* to have been reverted before too many people noticed.

At this stage I am not aware of any official statements from either Google (they’re declining to comment), IEDR (they probably won’t say much today, if ever) or MarkMonitor.

Both domains (google.ie and yahoo.ie) were pointed to an IP in Indonesia (119.235.27.219)

While Google.ie obviously gets a very large amount of web traffic it isn’t actively used for email. Yahoo.ie on the other hand would be used by a lot of Irish Yahoo! email users, so email service for them would have been disrupted.

Update 2000:

Most Irish users are now able to access google.ie as normal, however at least some are still reporting issues:

This may be down to their ISP’s DNS servers holding stale records from earlier this afternoon or it could be that their office or home router has cached the records.

Google has issued an apology for the disruption to Irish users which has been reported by several media sources.

Update 2125

Here’s the full statement from the IEDR (courtesy of The Sociable):

Statement by IE Domain Registry re unauthorised access to two high profile .ie web addresses

Tuesday, 9th October, 2012: The IEDR confirms that earlier this afternoon an unauthorised change was made to two .ie domains on an independent Registrar’s account which resulted in a change of DNS nameservers.  The consequence of the change is that visitors to the two websites would be redirected to an allegedly fraudulent address. The IEDR worked with the Registrar to ensure that the nameserver records have been corrected.

It’s not particularly long, but it would seem to suggest that IEDR are blaming Mark Monitor. Wouldn’t it have been more prudent to work with the registrar before sending out something like this?

Seemingly Mark Monitor are blaming IEDR:

San Francisco-based MarkMonitor, the registrar responsible for both addresses, blamed lax security at the Irish registry level for the incident.

Surely this kind of “blame game” is counter-productive?

The IEDR suffered a massive outage last month with their public-facing websites, whois and other services unavailable for about 36 hours.

UPDATE 2310 IEDR have taken all their websites and whois offline. In an email to registrars IEDR state that they have been in contact with the Gardai (Irish police).

UPDATE 0745 IEDR have published a statement on their website explaining (briefly) why their websites and other services are offline:

IEDR systems are currently unavailable. We apologise for the inconvenience to our customers.

As you may be aware, there was a security incident on Tuesday 9th October, involving two high profile .ie domains.

There was an unauthorised access to one Registrar’s account which resulted in the change to the DNS nameserver records for the two .ie domains.
The IEDR worked with the Registrar to ensure that the nameserver records were reset and corrected promptly.
Simultaneously, IEDR commenced an investigation and analysis, with the assistance of external security experts.

Based on the results of the investigation and the recommendation of security experts,
IEDR are bringing its external web-based systems off-line, commencing at 22:00 hours, in order to perform additional analysis.

Gardai have been notified and IEDR has requested that the Garda Bureau of Fraud Investigation conduct an investigation into this external attack on the .ie namespace.

IEDR will provide further updates on this web page as additional information becomes available.

IEDR Team

And here’s a screenshot of their main site as of 8am this morning:

Their WHOIS service is currently available so people will be able to access information related to currently registered .ie domain names.

Update 1645

While many Irish internet users yesterday were unable to reach google.ie some apparently were sent to a site on an Indonesian IP.

Here’s a screenshot of what they saw:

Via @athomeitwex on Twitter

The “defacement” or “hack” page is signed by a “Hmei7” who is apparently an Indonesian hacker whose “signature” has appeared on thousands of websites defacements including attacks against Asus and Siemens.

Share with a friend!

About the Author: Michele Neylon
Michele is founder and managing director of domain registrar and hosting company Blacknight. He blogs mostly over on michele.blog
119 Comments
  1. Paul Stahura October 9, 2012 at 5:39 pm - Reply

    This demonstrates a good reason for Google to get the .google TLD – that way they control ie.google more directly than google.ie

  2. Volker Greimann October 9, 2012 at 5:42 pm - Reply

    Seems that the change was already reversed though

  3. inquisitioneu October 9, 2012 at 11:38 pm - Reply

    My favourite bit – the culprit’s name, Kulpreet.
    Great stuff! In a nefarious, Dr Evil kind of way.

    • Michele October 9, 2012 at 11:47 pm - Reply

      That name is actually legit :)

  4. Adam October 12, 2012 at 10:41 pm - Reply

    Looks like microsoft.ie was hacked as well, which makes it 3 instead of 2.
    http://www.zone-h.org/mirror/id/18445815

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

5 min readCategories: securityTags: , , , , , , , Last Updated: October 10, 2012

Share this post

View my Flipboard Magazine.