Feb 09, 2010, 02:52 pm
Hackers fail to hackTymoshenko.ua website
After numerous unsuccessful attempts to hack the Tymoshenko.ua website, hackers took advantage of the one of the greatest structural weaknesses of the Internet.
The problem has to do with BGP vulnerability that allows a hacker to announce and transmit a block of IP addresses, as a result of which a website visitor sees a fake site when going to a certain web address.
Back in 2008, a Youtube outage was caused by this problem. Pakistani ISPs blocked access to the website to local users, as a result of which Youtube was blocked for two hours, not only in Pakistan but around the world.
On February 7, after the exit poll results were announced, starting at 10pm, some visitors to the Tymoshenko.ua website saw a harrassing message rather than the real site. Many information agencies reported that Yulia Tymoshenko’s official website had been hacked.
Our experts have evidence of an attacker misappropriating IP addresses and then spreading this information through a loyal ISP.
The given log confirms this (GTM 0):
1265573554 20:12:34_07-Feb 1 0 0 0 1 +A 212.113.34.0/24 <4608 1221 4637 6939 5577 50398 6849>
1265573558 20:12:38_07-Feb 1 1 0 0 0 +P 212.113.34.0/24 <4777 2497 6939 5577 50398 6849>
1265574317 20:25:17_07-Feb 1 1 0 0 0 +P 212.113.34.0/24 <4608 1221 4637 3549 6939 6939 5577 50398 6849>
1265574318 20:25:18_07-Feb 1 1 0 0 0 +P 212.113.34.0/24 <4777 2516 3356 3549 6939 6939 5577 50398 6849>
1265574348 20:25:48_07-Feb 1 1 0 0 0 +P 212.113.34.0/24 <4608 1221 4637 3561 3549 6939 6939 5577 50398 6849>
1265574379 20:26:19_07-Feb 0 0 0 0 0 - 212.113.34.0/24 <4608 1221 4637 3561 3549 6939 6939 5577 50398 6849>
1265575354 20:42:34_07-Feb 1 1 0 0 0 +P 212.113.34.0/24 <4608 1221 4637 6939 5577 50398 6849>
1265575384 20:43:04_07-Feb 1 1 0 0 0 +P 212.113.34.0/24 <4777 2516 6939 5577 50398 6849>
1265576118 20:55:18_07-Feb 1 1 0 0 0 +P 212.113.34.0/24 <4777 2497 701 3549 6939 6939 5577 50398 6849>
1265576148 20:55:48_07-Feb 0 0 0 0 0 - 212.113.34.0/24 <4777 2497 701 3549 6939 6939 5577 50398 6849>
As you can see from entry 1265573554 20:12:34_07-Feb, attacker AS50398 (ispkaravan.net), violated rules for use of IP addresses, announced a block of addresses that didn’t belong to him, and his ISP
AS5577 (root eSolutions), breaking the rules, accepted this information and transmitted it across the Internet.
We have filed a complaint with RIPE (European IP Registry Network Coordination Centre) asking that they investigate and punish the attackers.
(61) Comments | Other popular topics
