Iraq's Uruklink "0wned" By Hackers

[InfoSec News <isn () c4i org>]

http://www.pc-radio.com/uruklink-0wned.html

by Brian McWilliams 
March 26, 2003 

After shakily surviving nearly a week of intense shelling in Baghdad,
the Web site of the Iraq government has apparently fallen prey to
hackers.

Since Wednesday, some visitors to Uruklink.net have been surprised
with a red-white-and-blue message that reads, "Hacked, tracked, and
NOW owned by the USA." Others have been greeted with error messages.

In fact, Uruklink, the homepage of Saddam Hussein, as well as the
Iraqi News Agency and several other government organizations, is still
generally available by browsing directly to the site's numeric
address.

But because of an apparent attack on the site's domain name server,
some visitors who type www.uruklink.net into their browsers are being
shunted off to a third-party site, alneda.com.

An examination of Uruklink's DNS server, nic1.baghdadlink.net,
revealed that the domain's "A" record had been changed to
65.89.91.148, the IP address for alneda.com.

The attackers also changed the domain's Hostmaster address in the DNS
server to read "0wned () baghdadlink net."

According to Scott Perry, operator of the DNSStuff.com site,
ns1.baghdadlink.net is running an outdated version of the BIND DNS
software, which has a number of known security issues.

Attackers made no apparent changes directly to the Uruklink web
server. A second DNS server for Uruklink, nic2.baghdadlink.net, has
been offline for nearly a week.

Jon Messner, the operator of Alneda.com, said he was not responsible
for the attack on Uruklink.

"Hacking DNS servers of any nation's website is illegal. I do not in
anyway participate in illegal activity, nor do I condone or endorse
such activity by other individuals," said Messner. Last August,
Messner made headlines when he snatched up several lapsed domains,
including Alneda.com, in an attempt to baffle terrorists.

The attacks on Uruklink come as Iraq's state-run TV station was nearly
knocked off the air Tuesday by bombing. The popular Arabic news site
Al Jazeera has also appeared to be suffering from a denial-of-service
attack.

Because some ISPs cache DNS information for domains differently, many
Uruklink visitors have so far been unaffected by the re-direction
attack. Others who attempt to reach the site using its domain address
encounter "system unreachable" messages.

Compounding Uruklink's DNS problems is bogus data that has apparently
found its way into some ISP's DNS caches. Ron Gula, founder of Tenable
Network Security, said some politically-motivated system
administrators may have "blackholed" Uruklink by adding "reserved" IP
addresses for the site in the DNS servers they manage.

Uruklink's attackers did not alter the DNS record for the site's
e-mail server, which could have disabled e-mail service to many
Iraqis. Some observers have speculated that the U.S. government may be
communicating with high-ranking Iraqis via e-mail, in an attempt to
persuade them to overthrow Saddam.

Iraq2000.com, the homepage of Iraq's Olympic team and several
newspapers, was also impacted by the attack on Iraq's DNS servers. The
"A" record for Iraq2000.com appears to have been changed to a
non-functioning, reserved IP address. Similar problems have befallen
the website of Iraq's Center for Heart Diseases.

In an apparently unrelated incident, the website of Iraq's mission to
the United Nations, Iraqi-Mission.org, became unreachable this week.  
The site, which is hosted by Texas-based Verio, currently displays a
message from Verio saying "Temporarily Unavailable." Messages left
with the Iraqi mission in New York went unanswered. Verio
representatives had no immediate comment.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.