Zone-h just reported a defacement of the MSN shopping domain. Looks like the hacker(s) "Bautista" whacked a slew W2K servers today. Here's the link - Better catch it before it disappears.
http://shopping.msn.com.sg/x.htm
Printable View
Zone-h just reported a defacement of the MSN shopping domain. Looks like the hacker(s) "Bautista" whacked a slew W2K servers today. Here's the link - Better catch it before it disappears.
http://shopping.msn.com.sg/x.htm
ouch. pretty funny. major burn on MSN!
Yes. Very embarrassing! I'm kind of stumped on how it was pulled off though. With all the layers of security that MSN employs...I'm inclined to think that it was an inside job. Oh well.... who knows.
With all the stuff going on with Choicepoint....This came at a very bad for Microsoft. I wonder if people are starting to realize maybe Microsoft pulled MSN logins for external sites for breaches such as this and their vulverable messenging service.
You have to love some old school hacking fun. He even telles them the files arn't deleated. How nice.
I can't believe it's still up. Oh wait, is this really an msn domain? shopping.msn.com.sg?
Singapore?
//EDIT I see my sig is getting popular.
Yes, that IS a valid MSN domain.
Screen shot attached, in case they ever get around to killing it.Quote:
Thanks to SamSpade.org
Server Used: [ whois.nic.net.sg ]
http://shopping.msn.com.sg/ = [ 165.21.9.165 ]
The following data is provided for information purposes only.
Registrar: SingNet Pte Ltd
Registrant:
MICROSOFT SINGAPORE PTE LTD
Domain Name: msn.com.sg
Creation Date: 13-08-1998 00: 00: 00
Expiration Date: 13-08-2005 00: 00: 00
Domain Status: Active
Owner/Main Contact:
Name: MICROSOFT SINGAPORE PTE LTDSGNIC-ORGMI126114
Registered Address(line1): 5 TEMASEK BOULEVARD
Registered Address(line2): 09-03 SUNTEC CITY TOWER
Registered Address(line3):
Registered Country: Singapore
Registered Postalcode: 038985
Guess I should have checked before opening my large orifice. ;)
//EDIT you would think that if MS had some direct control over them they would be offline by now. Still up as of 22:38 UTC.
how is it possible that this has been up for so long and no one from the microsoft camp has noticed yet?
is it just me or does something smell fishy?
Well there seems to be two things here.
First, has anyone here actually sent a note to [email protected] or [email protected]? It's very likely they don't know about it given point 2.
Second, it doesn't seem to be a main linked page so it may not "show up on their radar". Not a good reason but I wonder if it's not really a "store" but rather a random page that was created. I tried searching for their page locally and it doesn't appear.
The source is interesting to look at. They went to some lengths to hide their source (linked photo). A search through Google pulls up a variety of similar sites.
It smells fishy to me, Jebo.
So I did my own search, results below:
[It's an HTTP server running Microsoft IIS/5.0
The IP is 165.21.9.165
Ports 21, 25, 80 and 1755 TCP give response.
The network information is listed below BUT...
I find it resolving to Milton, Australia, south of Sydney, on the coast.
After reading the below information, I think it's clear that, at least, it's not a MICROSOFT SITE.
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 165.21.0.0 - 165.21.255.255
CIDR: 165.21.0.0/16
NetName: APNIC-ERX-165-21-0-0
NetHandle: NET-165-21-0-0-1
Parent: NET-165-0-0-0-0
NetType: Early Registrations, Transferred to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: This range was transferred to the APNIC Whois Database as
Comment: part of the ERX (Early Registration Transfer) project.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2003-08-20
Updated: 2003-08-20
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: [email protected]
# ARIN WHOIS database, last updated 2005-03-07 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
Comment:
RegDate:
Updated: 2004-03-01
ReferralServer: whois://whois.apnic.net
AdminHandle: AWC12-ARIN
AdminName: APNIC Whois Contact
AdminPhone: +61 7 3858 3100
AdminEmail: [email protected]
TechHandle: AWC12-ARIN
TechName: APNIC Whois Contact
TechPhone: +61 7 3858 3100
TechEmail: [email protected]
# ARIN WHOIS database, last updated 2005-03-07 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Just by lookin around, I don't think it is either.
http://shopping.msn.com.sg
It's pretty crappy looking, I think it's a phish.
now i feel much better. good detective work guys!
well the hacker mantioned "account" so id be guessing he didnt have much problems in gettin the Rights to whatever he wants to do with the domain. prolly its all because some guy who has very low snese if imagination when it comes to passwords or privacy.
IMHO, I really don't think linking the image would do much if they REALLY hacked msn. Let me explain my thoughts:Quote:
They went to some lengths to hide their source (linked photo). A search through Google pulls up a variety of similar sites.
1. the image url is:
http://img198.exs.cx/img198/9610/foto.jpg
which leads back to:
http://imageshack.us/
Now imageshack has to have the IP of whoever uploaded the image to their server, they at least have the proxy IP if he used one, and that's still one step closer to catching him. And beleive me, with microsoft on his trail, I'm sure Bill has ways of finding the right info from places like imageshack...
Now this would still be pretty difficult to do, and microsoft would REALLY have to want to catch this guy, but it definitly can be done. Bottom line is, it's just not very smart to mess with microsoft or any of the other 'big boys', which is probably why it's a spoofed msn look alike or a part of msn that microsoft doesn't care about...
Just my .02
ZT3000, it looks like you're getting the registration for APNIC, not necessarily the address associated with the IP. When I checked with the Whois at Geektools I got the following pulls. Now, this could be a DNS poisoning but either way, MSN will need to deal with it.
Quote:
inetnum: 165.21.0.0 - 165.21.255.255
netname: SINGNET
descr: imported inetnum object for STPL-3
country: SG
admin-c: OoD1-AP
tech-c: OoD1-AP
status: ALLOCATED PORTABLE
remarks: ----------
remarks: imported from ARIN object:
remarks:
remarks: inetnum: 165.21.0.0 - 165.21.255.255
remarks: netname: SINGNET
remarks: org-id: STPL-3
remarks: status: assignment
remarks: rev-srv: DNSSEC1.SINGNET.COM.SG
DNSSEC2.SINGNET.COM.SG
DNSSEC3.SINGNET.COM.SG
remarks: tech-c: OD-ORG-ARIN
remarks: reg-date: 1993-03-31
remarks: changed: [email protected] 19990504
remarks: source: ARIN
remarks:
remarks: ----------
notify: [email protected]
mnt-by: APNIC-HM
changed: [email protected] 19990504
changed: [email protected] 20040926
changed: [email protected] 20030731
changed: [email protected] 20041214
source: APNIC
person: Owner of Domains
address: 2 Stirling Road #03-00
Singapore, Singapore
country: SG
phone: +65 4722580
fax-no: +65 4753273
e-mail: [email protected]
nic-hdl: OoD1-AP
remarks: ----------
remarks: imported from ARIN object:
remarks:
remarks: poc-handle: OD-ORG-ARIN
remarks: is-role: Y
remarks: last-name: Owner of Domains
remarks: street: 2 Stirling Road #03-00
Singapore, Singapore
remarks: country: SG
remarks: mailbox: [email protected]
remarks: fax-phone: +65 / 4753273
remarks: bus-phone: +65 / 4722580
remarks: reg-date: 1970-01-01
remarks: changed: [email protected] 19990504
remarks: source: ARIN
remarks:
remarks: ----------
notify: [email protected]
mnt-by: MNT-ERX-SGTELECOM-NON-SG
changed: [email protected] 19990504
changed: [email protected] 20030731
source: APNIC
Quote:
Checking server [whois.nic.net.sg]
Results:
The following data is provided for information purposes only.
Registrar: SingNet Pte Ltd
Registrant:
MICROSOFT SINGAPORE PTE LTD
Domain Name: msn.com.sg
Creation Date: 13-08-1998 00:00:00
Expiration Date: 13-08-2005 00:00:00
Domain Status: Active
Owner/Main Contact:
Name: MICROSOFT SINGAPORE PTE LTD(SGNIC-ORGMI126114)
Registered Address(line1): 5 TEMASEK BOULEVARD
Registered Address(line2): #09-03 SUNTEC CITY TOWER
Registered Address(line3):
Registered Country: Singapore
Registered Postalcode: 038985
Mailing Address(line1): 5 TEMASEK BOULEVARD
Mailing Address(line2): #09-03 SUNTEC CITY TOWER
Mailing Address(line3):
Mailing Country: Singapore
Mailing Postalcode: 038985
Administrative Contact:
Name: MICROSOFT SINGAPORE PTE LTD(SGNIC-ORGMI126114)
Registered Address(line1): 5 TEMASEK BOULEVARD
Registered Address(line2): #09-03 SUNTEC CITY TOWER
Registered Address(line3):
Registered Country: Singapore
Registered Postalcode: 038985
Mailing Address(line1): 5 TEMASEK BOULEVARD
Mailing Address(line2): #09-03 SUNTEC CITY TOWER
Mailing Address(line3):
Mailing Country: Singapore
Mailing Postalcode: 038985
Technical Contact:
Name: LEE, ADRIAN (SGNIC-PERLE126115)
Registered Address(line1): 5 TEMASEK BOULEVARD
Registered Address(line2): #09-03 SUNTEC CITY TOWER
Registered Address(line3):
Registered Country: Singapore
Registered Postalcode: 038985
Mailing Address(line1): 5 TEMASEK BOULEVARD
Mailing Address(line2): #09-03 SUNTEC CITY TOWER
Mailing Address(line3):
Mailing Country: Singapore
Mailing Postalcode: 038985
Billing Contact:
Name: LEE, ADRIAN (SGNIC-PERLE126115)
Registered Address(line1): 5 TEMASEK BOULEVARD
Registered Address(line2): #09-03 SUNTEC CITY TOWER
Registered Address(line3):
Registered Country: Singapore
Registered Postalcode: 038985
Mailing Address(line1): 5 TEMASEK BOULEVARD
Mailing Address(line2): #09-03 SUNTEC CITY TOWER
Mailing Address(line3):
Mailing Country: Singapore
Mailing Postalcode: 038985
Name Servers:
dns4.cp.msft.net
207.46.138.11
dns5.cp.msft.net
207.46.138.12
MsMittens,
You are right about the APNIC registration information. My bad.
My first pull of the IP came back with the Singapore information, so I used some backup tools to recheck and came up with the AUS information.
If you go to the Zone-H site here: http://www.zone-h.org/en/defacements/view/id=544708/
It shows the same IP address as being defaced but a different HTTP address and a different defacement dating back to 2003.
A saved mirror copy (found on the same Zone-H page, shows a completely different defacement with spanish language and the words
[email protected]
#ion
--------------------
Brasil RuleZ
So now we have 3 defacements.
I think, without further investigation, that:
1) This is old defacement news.
2) Maybe it actually happened in 2003 while MSN Singapore was asleep at the wheel.
3) Has been long fixed.
4)My best guess is, it was only a DNS poisoning leading to someone elses website.
Even the MSN logo on one of the defaced pages (mirror site) points to some other IP address and not the IP of which is supposedly defaced.
This attempt at defacement smells like amateurs.
ZT300,
You bring up some very valid points. However, I have some lingering questions.
I followed the link to Zone-H and the defacement link which showed up as still being defaced, albeit the defacement is different than mirrored copied. This typically indicates a redefacement. Also if you remove the "index.htm" from the URL and reload the page http://msnshopping.eguide.com.sg ; it appears to load a valid page from eguide.com.
So I guess the question is: Does MSN have a relationship with Eguide to use the MSN name within a business context. Unfortunately I don't have the time to hunt it down myself right now. Getting ready for Federal Audit. Ugh.
I like the idea of DNS poisoning though. A very probable solution.
Perusing Netcraft articles today, I came across this and thought of this thread:
http://news.netcraft.com/archives/20...bait_urls.html
Not sure if it applies, but it might...
For those unable to see Zencoder's link visit this one: http://tinyurl.com/453vw
Looks like the msn site is back up the way it is supposed to be. Wonder why it took them so long to replace it.
Possibly because the notification didn't go to the right people or went to the wrong division (it might take a longer trickle time if you notify [email protected] versus sending something to [email protected] -- just a theory). Either way, IME, I've found that companies that are this huge are harder to move to fix because they are just too big to see things (so to speak).