Avira, AVG, Alexa and WhatsApp websites hacked by KDMS Team



The hackers group who defaced the popular hosting website LeaseWeb has once again attacked top websites and left them defaced.

It includes the popular messaging service WhatsApp, top free antivirus AVG, Avira, Alexa(Alexa.net) and Porn website RedTube.

The whois data of the affected domains apparently shows that they are registered with Network Solution.


It appears hackers compromised the domain provider and changed the DNS data rather than attacking individual websites.

At the time of writing, the avira website still shows the defaced page whereas other websites are offline including avg.com.


AVG has confirmed to E Hacking News that "it has had a select number of online properties defaced as a result of our domain name system (DNS) registrar being compromised".

"A number of other companies appear to have been faced with the similar issue. The situation is being further monitored and assessed closely. Customers are our priority, the DNS records have been corrected and AVG is working hard to resume normal service levels to its customer base and continue to protect our customers and their privacy."

Google, YouTube, Gmail, Intel Turkmenistan Sites Hacked by Iranian Hackers


Turkmenistan major Sites are defaced by Iranian Hackers yesterday by DNS Poisoning attack. The defaces includes major sites of Google,Youtube,Orkut,Gmail,Intel,Xbox,etc.

These hacked domains are all registered at NIC Turkmenistan. The domain names include

  • www.google.tm 
  • www.youtube.tm 
  • www.xbox.tm 
  • www.gmail.tm 
  • www.msdn.tm
  •  www.officexp.tm 
  • www.windowsvista.tm 
  • www.intel.tm 
  • www.orkut.tm 


The Hacker just uploaded a simple html page to show off his deface. This is the first attack on NIC sites in 2013. MS SQL Vulnerability lead this to defeat and here is the entire image for it. The hackers have also got access to DNS records.

You can view the entire Data leak from here

http://ha.cker.ir/2013/01/data-leakage-from-nic-tm/

Mirrors of Defaced sites can be viewed here
 http://zone-h.com/archive/ip=198.105.216.250

http://append-hc.com/mirror/id/66204

Author of this article: Akshay Kumar.

Romanian Google , Yahoo, Microsoft, Paypal, Kaspersky hacked By Algerian Hacker MCA-CRB

Google Romania hacked

Here is another DNS poison attack.  we can call this month as 'Month of DNS posion attack'. The report says hackers compromised the RoTLD - The Romanian Top Level Domain Registry and poisoned the DNS Records.


An Algerian Hacker group called MCA-CRB allegedly hijacked the domain registrar and change the DNS record such that it points to defacement page.

The list of affected Top Level Domains:
  • google.ro
  • yahoo.ro
  • microsoft.ro
  • paypal.ro
  • kaspersky.ro
  • windows.ro
  • hotmail.ro

Hackers modified the DNS records such that it points to an IP address located in the Netherlands: 95.128.3.172 (server1.joomlapartner.nl) .

The mirror of the defacement can be found here:
http://www.zone-h.org/archive/notifier=MCA-CRB

At the time of writing, the affected sites are back to online and working properly.

According to the Zone-H record, the hacker group MCA-DRB, has defaced 5,530 site websites so far, many of them appearing to cover government and public services sites from countries across Asia, Africa, Europe, Australia and the Americas.

Few days back, hackers break into the PKNIC site using SQL Injection vulnerability and changed the DNS records that results in hundreds of Top level pakistani domains hijack which includes Google , Microsoft, paypal and more domains.

AlpHaNiX Hacked Google, Gmail, YouTube, Yahoo, Apple, Microsoft, Hotmail


 A Hacker named as "AlpHaNiX" hacked and defaced the main page of Google, Gmail, Youtube, Yahoo, Apple etc. The website are hosted in .cd domain (Democratic Republic of Congo Domains). Hacker used DNS Cache Poisoning method for hacking these big sites.

List of Hacked websites:
  • http://apple.cd/
  • http://yahoo.cd
  • http://gmail.cd/
  • http://google.cd/
  • http://youtube.cd/
  • http://linux.cd/
  • http://samsung.cd/
  • http://hotmail.cd/
  • http://microsoft.cd/

Interestingly, Still the websites showing the defacement page except google and gmail.

Brazil ISP servers under DNS cache Poisoning attack , spreads Trojan


"Brazil ISP servers under massive DNS cache Poisoning attack"warns Kaspersky Lab expert Fabio Assolini.  When Brazilians try to visit facebook,google,youtube and othe websites, pop message asked to install Google Defence or some java applet in order to access the sites.

Some innocent peoples will install without knowing what problem will occur.  if you are the reader of EHN or Know about Security risks , you know what happen.  Yes, it will spread the banking Trojan. 

"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.

According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.
80.XX.XX.198/Google_setup.exe
80.XX.XX.198/google_setup.exe
80.XX.XX.198/Google_Setup.exe
80.XX.XX.198/ad2.html
80.XX.XX.198/flash.jar
80.XX.XX.198/FaceBook_Complemento.exe
80.XX.XX.198/ad.html
134XX69350/AppletX.class
80.XX.XX.198/YouTube_Setup.exe
80.XX.XX.198/FlashPlayer.class
80.XX.XX.198/google2.exe
80.XX.XX.198/crossdomain.xml
80.XX.XX.198/favicon.ico
In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list.

Infecting peoples with DNS Poisoning attack is very easy because users believe their trusted sites. Cyber criminals paid an employee who has access to the DNS records to modify them so that user are redirected to the malicious site.

Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.

But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.

The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.