Secunia defaced? DNS hijacked?

Secunia is a very popular security company, specialized in vulnerability intelligence, security management, and things like that.

However, yesterday evening, everyone visiting their site received a special “defaced” message (“System down – get babana, hacked by turkguvenligi”):

What happened? Did their web servers get hacked?

No, their servers were not hacked. After some analysis, it seems that their DNS was hijacked to point to another location. The first thing pointing to that is that their Whois records were modified yesterday:

Record last updated 11-24-2010 06:49:51 PM
Record expires on 08-16-2017
Record created on 08-16-2002

Domain servers in listed order:
A.NS.SECUNIA.COM 213.150.41.253
B.NS.SECUNIA.COM 213.150.41.254
C.NS.SECUNIA.COM 91.198.117.1
D.NS.SECUNIA.COM 91.198.117.2

This was followed by a change in their name servers, they were redirected to 81.95.49.32, which also prompted their main site to be redirected to 81.95.49.32 as well.

The guys from the ISC did some analysis and that’s the response of the host command at the time of the hack:

$ host www.secunia.com
www.secunia.com is an alias for secunia.com.
secunia.com has address 81.95.49.32
secunia.com mail is handled by 0 secunia.com.

Secunia confirmed the attack on their blog: http://secunia.com/blog/153

What’s interesting is that it shows how important it is to monitor the integrity of your Whois and DNS entries. Every client at Sucuri, in addition to the malware and blacklist monitoring, also gets our DNS and Whois monitoring which alerts whenever these are changed. In the case of Secunia, if they had been using our service, they would have detected the Whois change pretty quickly and probably could have reacted before the DNS propagation.