Latest news of the domain name industry

Recent Posts

China connection to Go Daddy WordPress attacks

Go Daddy’s hosting customers are under attack again, and this time it looks like it’s more serious.

Reports are surfacing that WordPress sites hosted at Go Daddy, and possibly also Joomla and plain PHP pages there, are being hacked to add drive-by malware downloads to them.

Go Daddy has acknowledged the attacks, blaming outdated WordPress installations and weak FTP passwords, and has put up a page with instructions for cleaning the infection.

Last week, I was told that the first round of attacks was very limited. Today, the attackers seem to have stepped it up a notch.

As a result, Go Daddy could find itself in a similar situation to Network Solutions, which had a couple of thousand customer sites hacked a few weeks back.

The attacks appear to be linked to a well-known crime gang with a Chinese connection.

According to Sucuri, when a Go Daddy-hosted WordPress page is hacked, JavaScript is injected that attempts to redirect surfers to a drive-by attack from the domain kdjkfjskdfjlskdjf.com (don’t go there).

This domain was registered with BizCN.com, an ICANN-accredited Chinese registrar, but its name servers appear to have been created purely for the attack.

The registrant’s email address is hilarykneber@yahoo.com. This connects the attack to the “Kneber” botnet, a successful criminal enterprise that has been operating since at least December 2009.

A Netwitness study revealed the network comprised at least 74,000 hacked computers, and that the bulk of Kneber’s command and control infrastructure is based in China.

Since Kneber is known to be operated by a financially motivated gang, and it’s by no means certain that they’re Chinese, it’s probably inaccurate to suggest there’s something political going on.

However, I will note that Go Daddy was quite vocal about its withdrawal from the .cn Chinese domain name registration market.

Network Solutions, while it was quieter, also stopped selling .cn domains around the same time as the Chinese government started enforcing strict registrant ID rules last December.

I-Root yanks Beijing node

Kevin Murphy, March 31, 2010, Domain Tech

Autonomica, which runs i-root-servers.net, has stopped advertising its Anycast node in Beijing, after reports last week that its responses were being tampered with.

In the light of recent tensions between China and the US, people got a bit nervous after the Chilean ccTLD manager reported some “odd behaviour” to the dns-ops mailing list last week.

It seemed that DNS lookups for Facebook, Twitter and YouTube were being censored as they returned from I-Root’s node in China, which is hosted by CNNIC.

There was no suggestion that Autonomica was complicit in any censorship, and chief executive Karl Erik Lindqvist has now confirmed as much.

“Netnod/Autonomica is 100% committed to serving the root zone DNS data as published by the IANA. We have made a clear and public declaration of this, and we guarantee that the responses sent out by any i.root-servers.net instance consist of the appropriate data in the IANA root zone,” he wrote.

While Lindqvist is not explicit, the suggestion seems to be that somebody on the Chinese internet not associated with I-Root has been messing with DNS queries as they pass across the network.

This is believed to be common practice in China, whose citizens are subject to strict censorship, but any such activity outside its borders obviously represents a threat to the internet’s reliability.

The CNNIC node is offline until further notice.

Go Daddy follows Google out of China

Kevin Murphy, March 24, 2010, Domain Registrars

Go Daddy is to stop accepting new .cn registrations, after CNNIC demanded that it start collecting photographs and signed registration documents from Chinese customers.

General counsel Christine Jones told the Congressional Executive Committee on China that Go Daddy has also seen an increase in DDoS attacks, specifically against human rights sites that it hosts.

“Domain name registrars, including Go Daddy, were then instructed to obtain photo identification, business identification, and physical signed registration forms from all existing .CN domain name registrants who are Chinese nationals, and to provide copies of those documents to CNNIC,” she said.

Any domain without such documentation would have been blocked by China, she said.

“For these reasons, we have decided to discontinue offering new .CN domain names at this time. We continue to manage the .CN domain names of our existing customers,” she said.

Go Daddy has about 1,200 Chinese customers and 27,000 .cn domains on its books. The company is not going to block Chinese customers. What China will do about them remains to be seen.

The move comes at a tense time for US-China internet relations, with Google grabbing headlines all week due to its ongoing censorship row with the country.

Jones denied the move has anything to do with Google. “We made the decision that we didn’t want to act as an agent of the Chinese government,” she said.

I’ve uploaded a PDF of her written testimony here.

Gossip: Geldof, China and Site Finder

Kevin Murphy, March 7, 2010, Gossip

Eight Sunday morning tidbits.

  • Bob Geldof was on the BBC’s Andrew Marr Show this morning, via satellite from Nairobi. It seems likely he’s there in relation to to IGAD conference on east-African drought, which is being held at the same venue as the ICANN meeting, which kicked off today. Let’s hope he’s (continue reading)

Gossip: DNS incest T-shirts, etc…

Kevin Murphy, March 2, 2010, Gossip

Eight domain name stories I would loved to have looked into in more detail today: