The IE Domain Registry (IEDR) have concluded an investigation into the security incident on Tuesday 9th October that resulted in visitors to Google.ie and Yahoo.ie being sent to an Indonesian webserver controlled by hackers.
At 12pm today, the IEDR released a statement confirming that the security incident occurred because the Joomla content management system installed on the IEDR website had been exploited. The statement explains that during a period of 25 days (starting on 11th September), “the public-facing web server of the IEDR was subjected to repeated attempts at unauthorised access from external sources”. The attempts to hack the IEDR web server were eventually successfully on Saturday 6th October when the hacker was able to exploit a Joomla plugin and upload malicious PHP web scripts. The IEDR statement said: “PHP scripts were then used to access a backend database and this database access subsequently provided access to the IEDR control panel and permitted unauthorised modifications to an account.”
That account belonged to the registrar MarkMonitor who provide domain registration services to large corporations. On Tuesday 9th September, a full four weeks after the initial signs of a hacking attempt, the MarkMonitor account was accessed and the the domain names Google.ie and Yahoo.ie were re-configured to use two malicious DNS nameservers located in Indonesia. The DNS nameservers are used by well-known hacking websites, and since they are controlled by a hacker, it’s possible that visitors to Google.ie and Yahoo.ie may have been brought to a fake website, purporting to be the real Google or Yahoo website. The fake website could potentially have gathered user information or prompted users to download malware or viruses. Peter Armstrong from Irish webhosting provider Spiral Hosting explained, “Luckily there haven’t been any reports of any malware or viruses coming from the two websites. The sites were timing out and we suspect the hacker’s webservers were overwhelmed; they couldn’t cope with the volume of traffic Google and Yahoo would normally receive. Luckily, the IEDR were quick to restore the correct DNS nameservers on both the domain name and minimise the disruption caused. Luckily, other websites like Microsoft.ie which is also managed by MarkMonitor were not affected. It’s all very lucky. It is a security disaster but it could have been much worse. If website visitors had have been infected with malware, Google, Yahoo, MarkMonitor and the IEDR could have been dealing with a security catastrophe.”
The IEDR have confirmed that a criminal investigation by the Garda Bureau of Fraud Investigation is continuing, and they point out that a recently appointed Technical Services Manager will place increased emphasis on security policies, processes and procedures at the IE Domain Registry.
The IEDR’s Joomla website, which was taken offline on 9th October, was replaced on 26th October with a new website built using the Drupal content management system. The new website has received criticism for its bland design and lack of a WHOIS lookup facility, however the IEDR have insisted they have “prioritised the restoration of secure services” and they will address issues with the new website design over the coming weeks.