Pin It

How Google Pakistan Was Hacked?



Today morning, when i accessed google.com.pk, I was surprised to see the defacement page of turkish hackers, Later on i came to know that other websites such as Microsoft.com.pk were also defaced this morning. On checking the name servers with nslookup, the DNS servers were pointing towards another website, It was clear that the hacker compromised the DNS server and changed the DNS servers to their own, where they had their defacement page. The above image appeared on major .pk domains, when users were trying to access them.
Some time later the page started pointing towards google.com instead of google.com.pk, However the name servers of all .pk domains are still pointing towards freehostia.

           

How was Google Pakistan Hacked?

So as i mentioned earlier that it looks to me that the registrar that was responsible for Google's DNS records may have been compromised and the records were changed, so when users went to google.com.pk they were redirected to different website which was setup by Turkish hacker to make it look that google.com.pk has been actually compromised. 



By a quick whois search i came to know that the registrar that is responsible to PKNIC domains is MarkMonitor, The is a huge chance that the turkish hackers may have gained access to MarkMonitor and then would have changed the DNS servers. Another possibility is that the hackers may have used an attack called "DNS Cache Poisoning" in order to change the DNS servers. I will update this page as soon as i have more updates regarding this attack.

Update: Here is the Full List Of Compromised Domains:

google.com.pk
microsoft.pk
biofreeze.com.pk
blackstone.pk
blogspot.pk
itunes.pk
gmails.pk
zynga.com.pk
chrome.com.pk
chrome.pk
visa.com.pk
bx.com.pk
abbvie.com.pk
abbvie.pk
cgma.pk
chacos.com.pk
cimacpa.pk
cisco.pk
ciscosystems.pk
blogspot.com.pk
cpacima.pk
cpaintl.pk
cpaldglobal.pk
cpalwglobal.pk
drivealliance.pk
eastman.biz.pk
eastman.net.pk
eastman.org.pk
ebay.pk
monatin.pk
everyblock.pk
youtube.pk
3com.web.pk
hp.web.pk
revlon.pk
streetwear.pk
windows7.pk
windows8.pk
windowsrt.pk
yahoo.pk
yahoomaktoob.pk
zynga.pk
firstdirect.com.pk
flickr.pk
fordgofurther.pk
gbuzz.pk
gmailbuzz.pk
gmail.pk
googlebrowser.com.pk
google.pk
googlebuzz.pk
googlechrome.com.pk
abbviepharmaceuticals.pk
abbviepharmaceuticals.com.pk
hewlettpackard.pk
hexagon.com.pk
hsbcamanah.biz.pk
hotmail.com.pk
hpcloud.com.pk
hp.com.pk
hpscalene.com.pk
hsbc.biz.pk
hsbcadvance.com.pk
hsbc.pk
hsbcpremier.com.pk
hsbcprivatebank.biz.pk
hsbcamanah.com.pk
hsbcdirect.com.pk
hsbcnet.com.pk
hsbcpremier.biz.pk
hsbcpremier.pk
hsbcprivatebank.com.pk
investdirect.biz.pk
investdirect.com.pk
ipod.pk
jaiku.pk
kellyservices.com.pk
maktoob.pk
markmonitor.pk
microsoftsmartglass.com.pk
microsoftsmartglass.pk
xboxsmartglass.com.pk
xboxsmartglass.pk
msn.org.pk
windowsstore.pk
windowsstore.com.pk
opteron.com.pk
parkplaza.pk
paypal.pk
postini.pk
scalene.com.pk
schwab.biz.pk
schwab.com.pk
sonystyle.com.pk
streetwear.com.pk
theworldslocalbank.com.pk
genapp.pk
genapp.com.pk
generationapp.pk
generationapp.com.pk
windows.com.pk
windows7.com.pk
windows8.com.pk
3com.biz.pk
3com.fam.pk
3com.net.pk
3com.org.pk
gchrome.com.pk
aicpacima.pk

Update 2: Due to the Propogation of Google's name servers to Freehostia's nameservers, It made attackers to create any non-existing subdomain under compromised websites, For example rafaybaloch.google.com.pk. All the attacker would need to do is to register the non-existing subdomain under freehostia and add an index.

Update 3: It seems that Google.com.pk has been finally restored and the nameservers are again pointing to dns.google.com.pk.


Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags:


Kindly Bookmark it and Share it with Friends:

18 comments :

Muhammad Abdullah on November 24, 2012 at 6:43 AM said...

gud job dear

Muhammad Abdullah on November 24, 2012 at 6:43 AM said...
This comment has been removed by the author.
Anonymous said...

now what will happen as out come of these?

At!f on November 24, 2012 at 8:52 AM said...

Good Effort Sir

At!f on November 24, 2012 at 8:54 AM said...

Nice Effort Sir

Rafay Baloch on November 24, 2012 at 11:55 AM said...

Thanks all.

Nabil Afraz said...

nice work jigar:D Nabil Afraz(SSUET)

Muhammad Abdullah on November 24, 2012 at 12:48 PM said...

Just by finding turkish words on defacement page never mean attackers r really turkish. cannt v trace back the domain freehostia to confirm server location through IP address? Actually i m beginner but think its possible.

Hamid Ansari on November 24, 2012 at 1:27 PM said...

Hacker 'rock india' is involved with EBOZ {KriptekS} a Turkish hacker

Anonymous said...

wondering whose post is this originally!

http://pakistanpressclub.com/google-300-plus-other-web-sites-hacked-by-eboz-hackers/1325/

Free Downloads on November 24, 2012 at 10:33 PM said...

Hahaha People Think That Google Compromise

Mazhar on November 24, 2012 at 11:14 PM said...

Great Effort Rafay :)

Rafay Baloch on November 25, 2012 at 12:26 AM said...

@Muhammad Abdullah
Only Freehostia can trace back the hackers, since they are the ones who would have access to the server logs, And i don't think any one would do such a hack from his PC without using any PROXY or anonymizers.

@Anonymous 10

If you would look closely, you would understand.

@Mazhar

Thanks for the compliment.

Jerry Smith on November 26, 2012 at 8:17 PM said...

excellent job sir....

Learn How to Hack

Anonymous said...

It seems to be done by Indian hackers.

Anonymous said...

But the question is how they accessed domain dns server?

Anonymous said...

everything can be tracked back.. even this message i am writing.. only if all the stakeholders are willing to co-operate.
but the backdoor was not on the websites. it was with the pknic registrar. interesting how easy to bring a whole contry's cyberspace down by compromising one system. they did not access domain DNS server. they altered the addresses of DNS servers in the registrar database which was pointing to which DNS server to use when accessing the respective website.
if they change DNS entries.. they need to do it for each site seperately. in this case they just got acces to one registrar system and they modified the DNS server listings with one of their own choice. once the DNS server is their own.. they can change the domain to point to anywhere they want.

Anil Kumar on May 6, 2013 at 5:07 AM said...

nice...... computer tricks

Dare to ask? :)

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.