Ascio Registrar Compromised – Brings Down UPS.com, Theregister and Others

If you tried to visit today the sites for UPS.com, theregister.co.uk, Vodafone, The Daily Telegraph and some other high profile sites, you would have received a scary message saying that they’ve been hacked (by turkguvenligi):

And they were indeed hacked, but not in the way most people think. Their servers were not compromised, in fact it had nothing to do with their sites. Ascio.com, a domain registrar (used by all of them) was hacked, which lead to the DNS servers of those sites to be modified to:

Read More

Leaking private IP addresses via DNS

Ever wondered where Cisco store their logs? Or what is the IP address for the Facebook development box? Or how a certain big company organize their IP addresses internally? Or where their database server is located?

Well, that’s easy to find. Just do a quick DNS query to find out:

$ host logserver.cisco.com
logserver.cisco.com has address 10.86.229.184
$ host dev.facebook.com
dev.facebook.com has address 10.8.253.45
$ host oracle.sans.org
oracle.sans.org has address 10.10.10.10
$ host intranet.dell.com
intranet.dell.com is an alias for intranet.ins.dell.com.
intranet.ins.dell.com has address 10.143.5.15
$ host secure.dell.com
secure.dell.com is an alias for insideclassic.ins.dell.com.
insideclassic.ins.dell.com has address 10.175.233.67

Another test. Do you think that Cisco uses git, CVS or SVN?

$ host cvs.cisco.com
cvs.cisco.com is an alias for total.cisco.com.
total.cisco.com has address 171.70.71.26
$ host svn.cisco.com
svn.cisco.com has address 10.86.100.70
$ host git.cisco.com
git.cisco.com is an alias for data-ibm7.cisco.com.
data-ibm7.cisco.com has address 10.93.230.122

Maybe all of them?

What is happening here, you may ask. These companies are not properly separating their internal and external DNS servers, thus leaking their internal structure to the outside.

How bad is that? Well, it makes external attacks much much easier. From DNS cache poisoning to XSS, you can do a lot more when you know where their internal assets are.

And they are not alone… Try checking where qa.ebay.com or mx.paypal.com or intranet.real.com are. I would image that such large companies would properly separate their DNS.

How did we find this out? Using our scanner:

Cisco leaking private IP addresses via DNS

One of the first things I learned while setting up my DNS servers was to never leak internal IP addresses to the outside world. Well, it seems that Cisco haven’t learned it yet..

$ host pop.cisco.com
pop.cisco.com has address 10.48.73.66
$ host logserver.cisco.com
logserver.cisco.com has address 10.86.229.184
$ host backup.cisco.com
backup.cisco.com has address 10.34.250.203
$ host source.cisco.com
source.cisco.com is an alias for sjc14-42a-srv1-vlan4.cisco.com.
sjc14-42a-srv1-vlan4.cisco.com has address 10.32.17.166
$ host svn.cisco.com
svn.cisco.com has address 10.86.100.70

And there is more… rss.cisco.com, doc.cisco.com, zen.cisco.com, etc… How I found it out? Well, using our very own Sucuri’s information gathering tool.


If you are ever setting up your own DNS server, remember to use at least 2 servers, one for inside information and one for outside. Don’t make the same mistake that Cisco is doing…