How Google Pakistan Was Hacked?

Today morning, when i accessed, I was surprised to see the defacement page of turkish hackers, Later on i came to know that other websites such as were also defaced this morning. On checking the name servers with nslookup, the DNS servers were pointing towards another website, It was clear that the hacker compromised the DNS server and changed the DNS servers to their own, where they had their defacement page. The above image appeared on major .pk domains, when users were trying to access them.
Some time later the page started pointing towards instead of, However the name servers of all .pk domains are still pointing towards freehostia.


How was Google Pakistan Hacked?

So as i mentioned earlier that it looks to me that the registrar that was responsible for Google's DNS records may have been compromised and the records were changed, so when users went to they were redirected to different website which was setup by Turkish hacker to make it look that has been actually compromised. 

By a quick whois search i came to know that the registrar that is responsible to PKNIC domains is MarkMonitor, The is a huge chance that the turkish hackers may have gained access to MarkMonitor and then would have changed the DNS servers. Another possibility is that the hackers may have used an attack called "DNS Cache Poisoning" in order to change the DNS servers. I will update this page as soon as i have more updates regarding this attack.

Update: Here is the Full List Of Compromised Domains:

Update 2: Due to the Propogation of Google's name servers to Freehostia's nameservers, It made attackers to create any non-existing subdomain under compromised websites, For example All the attacker would need to do is to register the non-existing subdomain under freehostia and add an index.

Update 3: It seems that has been finally restored and the nameservers are again pointing to


  1. This comment has been removed by the author.

  2. now what will happen as out come of these?

  3. nice work jigar:D Nabil Afraz(SSUET)

  4. Just by finding turkish words on defacement page never mean attackers r really turkish. cannt v trace back the domain freehostia to confirm server location through IP address? Actually i m beginner but think its possible.

  5. Hacker 'rock india' is involved with EBOZ {KriptekS} a Turkish hacker

  6. wondering whose post is this originally!

  7. Hahaha People Think That Google Compromise

  8. @Muhammad Abdullah
    Only Freehostia can trace back the hackers, since they are the ones who would have access to the server logs, And i don't think any one would do such a hack from his PC without using any PROXY or anonymizers.

    @Anonymous 10

    If you would look closely, you would understand.


    Thanks for the compliment.

  9. It seems to be done by Indian hackers.

  10. But the question is how they accessed domain dns server?

  11. everything can be tracked back.. even this message i am writing.. only if all the stakeholders are willing to co-operate.
    but the backdoor was not on the websites. it was with the pknic registrar. interesting how easy to bring a whole contry's cyberspace down by compromising one system. they did not access domain DNS server. they altered the addresses of DNS servers in the registrar database which was pointing to which DNS server to use when accessing the respective website.
    if they change DNS entries.. they need to do it for each site seperately. in this case they just got acces to one registrar system and they modified the DNS server listings with one of their own choice. once the DNS server is their own.. they can change the domain to point to anywhere they want.


Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.