"What's in a name? That which we call a rose

By any other name would smell as sweet." – Juliet, Romeo and Juliet (II, ii, 1-2)



"A good name is more desirable than great riches; to be esteemed is better than silver or gold." – Proverbs 22:1 (NIV)

A rose is a rose is a rose

What if I could hack your organization and abuse your company’s reputation – and what if I could do it without your firewall, IDS, IPS, or your host-based badware detection making a peep?



What if I could use your organization’s good name to sell ED drugs, questionable Facebook "apps," shady online "personal ads," or to distribute porn that would make a sailor blush?



What if I did all of that, and you didn’t know? What if the hack itself took place on a machine you didn’t directly control and only accessed rarely? And what if the hack was so subtle, so obscure, and so difficult to find that once I had it in place, it might be years before you ever stumbled across it – if you ever stumbled across it?



This nightmare scenario is, unfortunately, reality for at least 50 organizations – ones that I’ve been able to uncover – and I'm certain that there are many, many more. Each of these organizations has been a victim of a malicious alteration of their domain information – an alteration that added new machine names to their existing information, and allowed bottom-feeding scam artists to abuse their good reputation to boost the search-engine profile of their drug, app, "personal ad," or porn sites.



Take a look at the following table:



These sites... Resolve To While the main site... Resolves To buy-viagra.4kidsnus.com 67.55.117.204 www.4kidsnus.com 50.73.38.13 drugs-1501.abingtonurology.com 67.55.117.204 www.abingtonurology.com 74.208.98.50 personals-1501.abingtonurology.com tubes-1501.abingtonurology.com payday-loans.accessbank.com 74.220.215.210 www.accessbank.com 66.147.240.154 cialis.advancedsynthesis.com 74.50.13.17 www.advancedsynthesis.com 216.227.216.47 viagra.advancedsynthesis.com cialis.apptech.com 66.96.147.107 www.apptech.com 66.96.147.107 loans.apptech.com viagra.apptech.com 66.96.147.106 buy-cialis.asfiusa.com 67.55.33.109 www.asfiusa.com 74.220.215.84 buy-viagra.asfiusa.com mg-drugs.asfiusa.com payday-loans.asfiusa.com rx-drugs.asfiusa.com facebook.blueagle.com 74.50.13.17 www.blueagle.com 209.200.244.56 buy-cialis.boothscorner.com 67.55.117.204 www.boothscorner.com 74.208.98.50 buy-viagra.boothscorner.com 24-buy-cialis.campsankanac.org 67.55.33.109 www.campsankanac.org 74.208.98.50 24-personals.campsankanac.org buy-cialis.campsankanac.org buy-viagra.campsankanac.org viagra.cccsaa.org 74.50.13.17 www.cccsaa.org 216.227.214.82 buy-cialis.cfi.gov.ar 67.55.117.204 www.cfi.gov.ar 201.234.37.147 buy-viagra.cfi.gov.ar mg-drugs.chesarda.org 65.254.250.103 www.chesarda.org 65.254.250.109 viagra.cranehighschool.org 74.50.13.17 www.cranehighschool.org 216.227.220.85 buy-cialis.dollardiscount.com 67.55.117.204 www.dollardiscount.com 74.208.98.50 buy-viagra.dollardiscount.com buy-cialis.eap.edu 74.220.215.210 www.eap.edu 66.147.240.167 buy-viagra.eap.edu mgdrugs.eap.edu payday-loans.eap.edu rxdrugs.eap.edu buy-cialis.ejercito.mil.do 74.220.215.210 www.ejercito.mil.do 74.220.215.113 buy-viagra.ejercito.mil.do mgdrugs.ejercito.mil.do payday-loans.ejercito.mil.do rxdrugs.ejercito.mil.do buy-cialis.elbertcounty-co.gov 74.220.215.210 www.elbertcounty-co.gov 74.220.207.155 buy-viagra.elbertcounty-co.gov drugs.elbertcounty-co.gov cheap-viagra.ellerbecreek.org 66.96.147.106 www.ellerbecreek.org 66.96.147.106 cialis-price.ellerbecreek.org payday-loans.ellerbecreek.org cialis-buy.esad.org 69.73.170.8 www.esad.org 69.73.185.194 payday-loan.esad.org player.esad.org translator.esad.org buy-cialis.fabius-ny.gov 173.236.60.138 www.fabius-ny.gov 173.236.47.26 buy-viagra.fabius-ny.gov payday-loans.fabius-ny.gov personals.fabius-ny.gov 1-facebook.fwbl.com 173.236.60.138 www.fwbl.com 65.60.41.210 1-games.fwbl.com 1-payday-loans.fwbl.com 1translator.fwbl.com payday-loans.fwbl.com payday-loans.fwbl.com translator2.fwbl.com facebook-i.georgetownky.gov 69.73.170.8 www.georgetownky.gov 69.73.136.24 payday.georgetownky.gov personals-d.georgetownky.gov viagra-buy.georgetownky.gov rx-drugs.golocalnet.com 65.254.250.103 www.golocalnet.com 65.254.250.105 mg-drugs.goodhope.com 66.96.147.106 www.goodhope.com 66.96.147.115 buy-cialis.hamwave.com 74.50.13.17 www.hamwave.com 209.200.245.66 buy-viagra.hamwave.com payday.hamwave.com buy-cialis.haskell.edu 74.220.215.210 www.haskell.edu 74.220.207.138 buy-viagra.haskell.edu drugs-coog.haskell.edu drugs.haskell.edu cialis.hiwassee.edu 65.254.250.103 www.hiwassee.edu 65.254.250.110 drugs.hiwassee.edu payday-loans.hiwassee.edu buy-viagra.hothouse.net 66.96.147.106 www.hothouse.net 66.96.147.106 buy-cialis.iiehk.org 67.55.117.204 www.iiehk.org 58.177.188.240 buy-viagra.iiehk.org buy-viagra.karen.org 65.254.250.103 www.karen.org 65.254.250.109 facebook.lisboniowa.com 65.254.250.103 www.lisboniowa.com 65.254.250.114 payday-loans.lisboniowa.com viagra.lisboniowa.com cialis.medpharmsales.com 74.50.13.17 www.medpharmsales.com 216.227.214.82 buy-cialis.menalive.com 69.73.170.8 www.menalive.com 69.73.138.10 buy-viagra.menalive.com drugs.menalive.com facebook.menalive.com payday-loans.menalive.com buy-viagra.mvas.org 74.220.215.210 www.mvas.org 74.220.215.73 payday-loans.mvas.org buy-cialis.nywolf.org 96.30.42.100 www.nywolf.org 96.30.42.100 buy-viagra.nywolf.org payday-loans.nywolf.org buy-cialis.okgolf.org 65.254.250.103 www.okgolf.org 65.254.250.101 loans.omill.org 69.73.170.8 www.omill.org 69.73.139.41 mg-drugs.omill.org personals.omill.org rx-drugs.omill.org cialis.onyvax.com 173.236.60.138 www.onyvax.com 216.104.37.106 loans.onyvax.com viagra.onyvax.com drugs-1501.pattywagstaff.com 67.55.117.204 www.pattywagstaff.com 76.202.66.30 personals-1501.pattywagstaff.com tubes-1501.pattywagstaff.com 1-payday-loans.qunlimited.com 173.236.60.138 www.qunlimited.com 173.236.37.194 1facebook.qunlimited.com 1-facebook.rivcoems.org 173.236.60.138 www.rivcoems.org 69.175.91.58 1-payday-loans.rivcoems.org 1player.rivcoems.org buy-cialis.sacmetrofire.ca.gov 74.220.215.210 www.sacmetrofire.ca.gov 66.147.240.176 buy-viagra.sacmetrofire.ca.gov drugs.sacmetrofire.ca.gov mgdrugs.sacmetrofire.ca.gov rxdrugs.sacmetrofire.ca.gov buy-cialis.santafeproductions.com 74.50.13.17 www.santafeproductions.com 209.200.242.240 cialis.saturdaymarket.com 74.50.13.17 www.saturdaymarket.com 209.200.245.36 viagra.saturdaymarket.com buy-cialis.seabury.edu 74.220.215.210 www.seabury.edu 66.147.240.183 buy-viagra.seabury.edu drugs.seabury.edu buy-cialis.symspray.com 66.96.147.106 www.symspray.com 66.96.147.103 buy-cymbalta.tcsys.com 67.55.117.204 www.tcsys.com 99.20.97.250 buy-lexapro.tcsys.com buy-viagra.tcsys.com divx-player.tcsys.com facebook.tcsys.com flv-player.tcsys.com personals-2702.tcsys.com player.tcsys.com translator.tcsys.com tubes-2702.tcsys.com buy-viagra.ubf.org 74.220.215.210 www.ubf.org 74.220.201.220 mg-drugs.ubf.org payday-loans.ubf.org rx-drugs.ubf.org drugs-1801.uhsurology.com 67.55.117.204 www.uhsurology.com 64.57.219.72 personals-1801.uhsurology.com tubes-1801.uhsurology.com buy-cialis.uniben.edu 74.220.215.210 www.uniben.edu 69.195.82.57 buy-viagra.uniben.edu mg-drugs.uniben.edu mgdrugs.uniben.edu payday-loans.uniben.edu payday.uniben.edu rx-drugs.uniben.edu rxdrugs.uniben.edu buy-cialis.viethoc.org 67.55.117.204 www.viethoc.org 208.127.15.120 buy-cymbalta.viethoc.org buy-levitra.viethoc.org buy-lexapro.viethoc.org buy-viagra.viethoc.org divx-player-beob.viethoc.org flv-player-beob.viethoc.org personals-0602.viethoc.org player-beob.viethoc.org drugs.williamson.edu 65.254.250.103 www.williamson.edu 65.254.250.105 payday-loans.williamson.edu viagra.williamson.edu payday.yanceycountync.gov 67.55.33.109 www.yanceycountync.gov 66.147.242.162 tubes-1111.yanceycountync.gov

Note: These IP addresses can (and should) change. The above information was gathered 10-7-2011 13:00 UTC

Over 150 "new" entries have been created in the zone information for these organizations. Each of these new "sites" inherits whatever good reputation the parent domain may have accumulated, and is, therefore, valuable as a means of search engine optimization (SEO).



The following table shows that these hacks occurred at multiple DNS providers with a few being somewhat more "popular" than others:





Domain DNS Provider 4kidsnus.com dnsexit.com abingtonurology.com boothscorner.com campsankanac.org cfi.gov.ar dollardiscount.com iiehk.org pattywagstaff.com tcsys.com uhsurology.com viethoc.org yanceycountync.gov ejercito.mil.do hostmonster.com accessbank.com asfiusa.com eap.edu elbertcounty-co.gov haskell.edu mvas.org sacmetrofire.ca.gov seabury.edu ubf.org uniben.edu apptech.com ipage.com ellerbecreek.org goodhope.com hothouse.net symspray.com qunlimited.com justhost.com advancedsynthesis.com lunariffic.com blueagle.com cccsaa.org cranehighschool.org hamwave.com medpharmsales.com santafeproductions.com saturdaymarket.com compliancemedical.com myhostcenter.com menalive.com nocdirect.com esad.org georgetownky.gov omill.org fabius-ny.gov pipedns.com fwbl.com onyvax.com rivcoems.org chesarda.org powweb.com golocalnet.com hiwassee.edu lisboniowa.com okgolf.org williamson.edu nywolf.org wiredtree.com karen.org yourhostingaccount.com

Down the Rabbit Hole

"Round up the usual suspects..."

Don’t Let This Happen To You

Check your DNS zone file information periodically, just to make sure nothing has been added without your knowledge.

Choose passwords wisely, especially on interfaces where brute-force attacks are likely (i.e. pretty much anything accessible from the internet). Never use dictionary words. And remember: while "qwertyuiop" may not be in your dictionary, it IS in mine...

Periodically take a look at your website how Google sees it (Google search: "site:yoursite.com" – NOT www.yoursite.com, and look through the pages for anything out of the ordinary. Toss a few choice keywords in as well ("Viagra," "Cialis," "drugs," "personals," etc...). This kind of search can help you discover many different types of issues with your site.

Finding these sites was a matter of luck and perseverance. Initially, I happened across a single, odd-sounding site name while looking for organizations that had been compromised by the bad guys for SEO purposes. Using tools that attempt to list all of the domain records pointing to a particular IP address led me to more. Google searches for sites linking to these domains led me further. Unquestionably, there are more of these types of sites out there – some not currently in use. However, because there is no good way to truly search DNS information, attempting to find these from the "outside" is difficult and frustrating.How did this happen? Unsurprisingly, no one I talked to about this was standing at the front of the line, ready to take the blame for these issues: Domain owners swear they used good passwords and are sure that the DNS providers were hacked, DNS providers are certain that the Domain owners used lousy passwords on their accounts... 'round and 'round we go.My gut tells me that the truth lies somewhere in between: bad passwords combined with poor account lockout controls on something like a cPanel-type web interface probably led to successful brute force attacks on most of these... I could, however, be completely wrong. Unfortunately, I just don't have the time to chase every one of these to ground.

Tom Liston

ISC Handler

Senior Security Consultant, InGuardians, Inc.

Twitter: @tliston