Skip links

Secunia defaced? DNS hijacked?

Secunia is a very popular security company, specialized in vulnerability intelligence, security management, and things like that.

However, yesterday evening, everyone visiting their site received a special “defaced” message (“System down – get babana, hacked by turkguvenligi”):

Secunia defaced

What happened? Did their web servers get hacked?

No, their servers were not hacked. After some analysis, it seems that their DNS was hijacked to point to another location. The first thing pointing to that is that their Whois records were modified yesterday:

Record last updated 11-24-2010 06:49:51 PM
Record expires on 08-16-2017
Record created on 08-16-2002

Domain servers in listed order:

This was followed by a change in their name servers, they were redirected to, which also prompted their main site to be redirected to as well.

The guys from the ISC did some analysis and that’s the response of the host command at the time of the hack:

$ host is an alias for has address mail is handled by 0

Secunia confirmed the attack on their blog:

What’s interesting is that it shows how important it is to monitor the integrity of your Whois and DNS entries. Every client at Sucuri, in addition to the malware and blacklist monitoring, also gets our DNS and Whois monitoring which alerts whenever these are changed. In the case of Secunia, if they had been using our service, they would have detected the Whois change pretty quickly and probably could have reacted before the DNS propagation.