Skip to main content

DNS hacks the norm

For search engine optimization and increased distribution, pornography and malware distributors commonly hack websites (interestingly, Google’s work in marking sites as “unsafe” in search results may be contributing to this trend, as it is driving malware and porn distributors to rely increasingly on hacking good sites to perform redirections to their own bad sites).

It’s rampant. And it’s most troubling because a lot of these are happening on .edu and .gov sites. Finding these hacked sites is trivial. Simply search for terms like “sex”, “porn”, “free ringtones”, “free”, “casino”, “‘sesso” “gratuito” “porno”, “fottilo”, etc., combined with the operator Site:edu or site:gov (if you’re going to do this, be very careful with these links — they often push malware). Some of the stuff is just comment spam. But plenty is real live redirects.

What we’re also seeing is a lot of DNS hacks. For example, take the City of Plainsville, Kansas (warning: graphic content):

(opens in new tab)

God what a mess. These people are so hosed it’s beyond belief. And those links push malware.

Now, let’s take a closer look. If you we do a simple dns lookup on (opens in new tab), we get an IP (opens in new tab). However, if we do a dns lookup on, for example, (opens in new tab), we get an IP of (opens in new tab). This same pattern will show itself on a number of other sites. And they are always the fault of the web hosting provider.

Fair warning.

Alex is a technology CEO, with leadership, operating partner, investor, and board member roles at security firms including AutoLoop, Borland, Quarterdeck (now Symantec and Cisco WebEx), GFI/TeamViewer, Sunbelt Software (now ThreatTrack Security), BlueStripe Software, StopBadware, Knowbe4, Malwarebytes, and Runaware Holding AB. When CEO of Sunbelt he ran a security blog, and he still writes on security.