[ISN] Iraq's Uruklink "0wned" By Hackers

From: InfoSec News (isnat_private)
Date: Thu Mar 27 2003 - 01:49:55 PST

  • Next message: InfoSec News: "[ISN] Bush order covers Internet secrets"

    by Brian McWilliams 
    March 26, 2003 
    After shakily surviving nearly a week of intense shelling in Baghdad,
    the Web site of the Iraq government has apparently fallen prey to
    Since Wednesday, some visitors to Uruklink.net have been surprised
    with a red-white-and-blue message that reads, "Hacked, tracked, and
    NOW owned by the USA." Others have been greeted with error messages.
    In fact, Uruklink, the homepage of Saddam Hussein, as well as the
    Iraqi News Agency and several other government organizations, is still
    generally available by browsing directly to the site's numeric
    But because of an apparent attack on the site's domain name server,
    some visitors who type www.uruklink.net into their browsers are being
    shunted off to a third-party site, alneda.com.
    An examination of Uruklink's DNS server, nic1.baghdadlink.net,
    revealed that the domain's "A" record had been changed to, the IP address for alneda.com.
    The attackers also changed the domain's Hostmaster address in the DNS
    server to read "0wnedat_private"
    According to Scott Perry, operator of the DNSStuff.com site,
    ns1.baghdadlink.net is running an outdated version of the BIND DNS
    software, which has a number of known security issues.
    Attackers made no apparent changes directly to the Uruklink web
    server. A second DNS server for Uruklink, nic2.baghdadlink.net, has
    been offline for nearly a week.
    Jon Messner, the operator of Alneda.com, said he was not responsible
    for the attack on Uruklink.
    "Hacking DNS servers of any nation's website is illegal. I do not in
    anyway participate in illegal activity, nor do I condone or endorse
    such activity by other individuals," said Messner. Last August,
    Messner made headlines when he snatched up several lapsed domains,
    including Alneda.com, in an attempt to baffle terrorists.
    The attacks on Uruklink come as Iraq's state-run TV station was nearly
    knocked off the air Tuesday by bombing. The popular Arabic news site
    Al Jazeera has also appeared to be suffering from a denial-of-service
    Because some ISPs cache DNS information for domains differently, many
    Uruklink visitors have so far been unaffected by the re-direction
    attack. Others who attempt to reach the site using its domain address
    encounter "system unreachable" messages.
    Compounding Uruklink's DNS problems is bogus data that has apparently
    found its way into some ISP's DNS caches. Ron Gula, founder of Tenable
    Network Security, said some politically-motivated system
    administrators may have "blackholed" Uruklink by adding "reserved" IP
    addresses for the site in the DNS servers they manage.
    Uruklink's attackers did not alter the DNS record for the site's
    e-mail server, which could have disabled e-mail service to many
    Iraqis. Some observers have speculated that the U.S. government may be
    communicating with high-ranking Iraqis via e-mail, in an attempt to
    persuade them to overthrow Saddam.
    Iraq2000.com, the homepage of Iraq's Olympic team and several
    newspapers, was also impacted by the attack on Iraq's DNS servers. The
    "A" record for Iraq2000.com appears to have been changed to a
    non-functioning, reserved IP address. Similar problems have befallen
    the website of Iraq's Center for Heart Diseases.
    In an apparently unrelated incident, the website of Iraq's mission to
    the United Nations, Iraqi-Mission.org, became unreachable this week.  
    The site, which is hosted by Texas-based Verio, currently displays a
    message from Verio saying "Temporarily Unavailable." Messages left
    with the Iraqi mission in New York went unanswered. Verio
    representatives had no immediate comment.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 04:22:54 PST