Google’s primary search domain for Tajikistan had seemingly been hacked yesterday, along with other high profile domains including Yahoo, Twitter, Amazon — redirected to a defaced page. Actually neither Google, nor Twitter servers have been hacked, rather website of Tajikistan’s Domain registrar (domain.tj) authority has been hacked, that allows the hacker to access domain control panel.
Server Kernel: Linux mx.takemail.com 2.4.21-27.ELsmp #1 SMP Wed Dec 1 21:59:02 EST 2004 i686
Iranian hacker ‘Mr.XHat’ successfully managed to change the DNS records of attack websites and defaced them for about a day. Hacker told ‘The Hacker News’ that he used Directory Traversal vulnerability to hack the website and still has the access to the control panel.
Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files.
Following the screenshot of compromised Domain Registrar’s Control Panel:
The hacker claimed to have the Root access to Mysql database of the site, where customer’ passwords are stored in a hashed / encrypted format. To get an access of Twitter/Google’s Customer domain panel, he smartly changed the administrative email address of respective accounts to his own email address and proceed with password recovery option.
In the above screenshot (provided by the hacker), showing the password recovery email received with the new password in plain text that allowed him to finally access the customer domain panel.
Hacked Domain are:
- google.com.tj
- yahoo.com.tj
- twitter.com.tj
- amazon.com.tj
At the time of writing the hacked domains are recovered back to original DNS, but defacement mirror available following:
- http://zone-h.org/mirror/id/21452417
- http://zone-h.org/mirror/id/21452420
- http://zone-h.org/mirror/id/21452426
- http://zone-h.org/mirror/id/21452428
We will update the post with new information as it becomes available.
Этот пост также доступен на: Tajik
Leave a Reply