Today morning, when i accessed google.com.pk, I was surprised to see the defacement page of turkish hackers, Later on i came to know that other websites such as Microsoft.com.pk were also defaced this morning. On checking the name servers with nslookup, the DNS servers were pointing towards another website, It was clear that the hacker compromised the DNS server and changed the DNS servers to their own, where they had their defacement page. The above image appeared on major .pk domains, when users were trying to access them.


Some time later the page started pointing towards google.com instead of google.com.pk, However the name servers of all .pk domains are still pointing towards freehostia.

[img]http://4.bp..com/-6V4N-HpFIQs/ULCSebuAM-I/AAAAAAAACTU/amY5JWVJFjU/s1600/nameservers.png[/img]

So as i mentioned earlier that it looks to me that the registrar that was responsible for Google's DNS records may have been compromised and the records were changed, so when users went to google.com.pk they were redirected to different website which was setup by Turkish hacker to make it look that google.com.pk has been actually compromised.

[img]http://4.bp..com/-1sSqFFJvAzc/ULCWnw1LuEI/AAAAAAAACTw/xrgS02PbpZY/s1600/whois.png[/img]

By a quick whois search i came to know that the registrar that is responsible to PKNIC domains is MarkMonitor, The is a huge chance that the turkish hackers may have gained access to MarkMonitor and then would have changed the DNS servers. Another possibility is that the hackers may have used an attack called "DNS Cache Poisoning" in order to change the DNS servers. I will update this page as soon as i have more updates regarding this attack.

Update: Here is the Full List Of Compromised Domains:

google.com.pk
microsoft.pk
biofreeze.com.pk
blackstone.pk
.pk
itunes.pk
gmails.pk
zynga.com.pk
chrome.com.pk
chrome.pk
visa.com.pk
bx.com.pk
abbvie.com.pk
abbvie.pk
cgma.pk
chacos.com.pk
cimacpa.pk
cisco.pk
ciscosystems.pk
.com.pk
cpacima.pk
cpaintl.pk
cpaldglobal.pk
cpalwglobal.pk
drivealliance.pk
eastman.biz.pk
eastman.net.pk
eastman.org.pk
ebay.pk
monatin.pk
everyblock.pk
youtube.pk
3com.web.pk
hp.web.pk
revlon.pk
streetwear.pk
windows7.pk
windows8.pk
windowsrt.pk
yahoo.pk
yahoomaktoob.pk
zynga.pk
firstdirect.com.pk
flickr.pk
fordgofurther.pk
gbuzz.pk
gmailbuzz.pk
gmail.pk
googlebrowser.com.pk
google.pk
googlebuzz.pk
googlechrome.com.pk
abbviepharmaceuticals.pk
abbviepharmaceuticals.com.pk
hewlettpackard.pk
hexagon.com.pk
hsbcamanah.biz.pk
hotmail.com.pk
hpcloud.com.pk
hp.com.pk
hpscalene.com.pk
hsbc.biz.pk
hsbcadvance.com.pk
hsbc.pk
hsbcpremier.com.pk
hsbcprivatebank.biz.pk
hsbcamanah.com.pk
hsbcdirect.com.pk
hsbcnet.com.pk
hsbcpremier.biz.pk
hsbcpremier.pk
hsbcprivatebank.com.pk
investdirect.biz.pk
investdirect.com.pk
ipod.pk
jaiku.pk
kellyservices.com.pk
maktoob.pk
markmonitor.pk
microsoftsmartglass.com.pk
microsoftsmartglass.pk
xboxsmartglass.com.pk
xboxsmartglass.pk
msn.org.pk
windowsstore.pk
windowsstore.com.pk
opteron.com.pk
parkplaza.pk
paypal.pk
postini.pk
scalene.com.pk
schwab.biz.pk
schwab.com.pk
sonystyle.com.pk
streetwear.com.pk
theworldslocalbank.com.pk
genapp.pk
genapp.com.pk
generationapp.pk
generationapp.com.pk
windows.com.pk
windows7.com.pk
windows8.com.pk
3com.biz.pk
3com.fam.pk
3com.net.pk
3com.org.pk
gchrome.com.pk
aicpacima.pk

webdezzi: thats the ugly side of security, you have less control over some things

if goodaddy.com gets hacked today, same may apply

Brand_new: So Google uses Freehostia.com

Slyr0x:

You missed it bro.

The hackers broke into MarkMonitor (Google PK's domain registrar) and changed their DNS settings to point to two alternative nameservers at freehostia.com.

So the defaced page was actually called from the hacker's site hosted on freehostia.com but made it look like twas google's own 'cos of the DNS that was compromised.

Brand_new:
And how did you arrive at that?

spikes C: Slyrox, can u write an article on how/steps to check the source of attacks when hacked.

Dual Core: Or they just paid MarkMonitor some $$$ to get access. Its Pakistan, people (no offense).

yamakuza: i wonder how secure NIRA is ...