Baidu.com Down Today
January 12, 2010 at 10:40 am | Posted in Uncategorized | 9 CommentsBelow is the pasted translation of a chronology of Baidu.com’s morning travails. Some of it is a little technical, but interesting, none-the-less to see the weird message being sent or not being sent. The Iranian Cyber Army’s calling card has been left, and the style is reminiscent of the recent attack on Twitter.com, but more likely this is the work of anyone not Iran, as Iran has no gripe with China: the US, Israel, anyone but Iran? Also interesting are reports of China’s counterattack against Iranian websites, showing they too can hack the .com “register”. Could both sides be being played? Let’s see what we can find…
This morning, seven o’clock, Baidu an access interruptions in the WHOIS query domain baidu.com Baidu domain information found there can not be resolved issues. The current problem is not resolved, Baidu has not issued a response to this.
Baidu.com is currently the DNS server is replaced, while the main domain name has been resolved to a Dutch IP, and access to Baidu’s sub-domain will be jump to Yahoo’s error page, WHOIS data is constantly being refreshed in the.
If User reflect their own access to baidu.com, please timely adoption of delivery news, @ cblive other channels let us know. Please attach a more detailed proof of material and your location.
09:55 seesaw battle continued, Google Hot List is the fastest rising keyword first “baidu”. Most media have made the domestic domain name was hijacked Baidu reported.
09:40 baidu.com of the NS records once again been revised to hostgator.com, then change back. Cup with continue to occur, the ongoing tug of war between, NS data is Baidu and changing the hackers have to go.
09:28 suspected yahoo will have to give the current baidu.com parsing.
09:20 Baidu has quickly boarded the Alexa top of the charts hot.
09:15 parsing out of the picture that IP is pink2.warez-host.com, home page has now been worn down, the page displays a snapshot of its data centers in Iran, the Netherlands and Germany, to provide “off-shore hosting services.”
09:10 Iran has been turning the page displays “This account is suspended”. Update a series of pictures.
08:36 Some net friends provided information to be black image, above the caption “Iranian Cyber Army”, the information provided in this website writes: ارتش سایبری ایران در اعتراض به دخالت های سايتهاي بيگانه و صهیونیستی در امور داخلی کشورمان و پخش اخبار دروغ و تفرقه
برانگیز راه اندازي شده اس
08:30 Baidu DNS data has been changed back, but it still did not refresh the WHOIS data.
08:20 A net friend had been directed to a black page “Iranian Cyber Army”, the domain name has been stolen or hijacked the possibility of quite large, but such a large number of requests Baidu is any one black page server could not resist, so can only access failed. Recall the last domain name has been turned to twitter, and the attack are surprisingly similar.
9 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a Reply
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
Later today, after Baidu.com was up, after lunch, Iranian websites were reported blocked with a similar tactic. Any info here? Is this really such tit-for-tat between two nationalistic groups who have no gripe with the other?
Comment by sinocircle— January 13, 2010 #
i don’t think anyone knows anything about them. could be smart techie geeks – reading the translation of the arabic makes that at least feasible if highly unlikely iran would ever want to invite chinese ire at this juncture… same day the physicist is blown up, too…
Comment by sinocircle— January 13, 2010 #
who has a proper translation of this?
ارتش سایبری ایران در اعتراض به دخالت های سايتهاي بيگانه و صهیونیستی در امور داخلی کشورمان و پخش اخبار دروغ و تفرقه
برانگیز راه اندازي شده اس
Comment by sinocircle— January 13, 2010 #
one possibility on WSJ comments (quoted in full):
In case you are wondering what it says: “Iranian (Persian) Cyber Army, is formed (and is on the move), in protest for the meddling of the foreign and Zionist sites in our countries domestic affairs and broadcasting of false news and inciting of conflict.” The scribble in the middle is “Dear Hussein,” perhaps is because we are in the mourning period for the death of Imam Hussein who was killed in a fight with his cousin Yazid over who should control the stolen wealth (and women and children) of the Persians, 14 centuries ago.
The Irony of this is, China just gave Iran military and crowd control tools to fight and potentially kill the demonstrators. So the message of this banner is in conflict with the Iranian government’s position with the Chinese government.
Comment by sinocircle— January 13, 2010 #
google news is still not carrying this story. a google news search cross referencing “iran” and “china” is BLOCKED in beijing now.
This webpage is not available.
The webpage at http://news.google.com/news/search?aq=f&pz=1&cf=all&ned=us&hl=en&q=iran+china might be temporarily down or it may have moved permanently to a new web address.
More information on this error
Below is the original error message
Error 101 (net::ERR_CONNECTION_RESET): Unknown error.
Comment by sinocircle— January 13, 2010 #
The Guardian has a comprehensive article, mentioning both what are made to look like the Chinese reprisals (quoted below) and the possibility that a third party is successfully sewing strife between the allies’ people.
quoted from:http://www.guardian.co.uk/technology/2010/jan/12/iranian-hackers-chinese-search-engine
As news of the attack spread, other hackers targeted Iranian websites.
On the room98.ir website, beneath a large Chinese flag, a message from the “Chinese Honker Team” read: “This morning your Iranian Cyber Army intrusion [sic] our baidu.com … Please tell your so-called Iranian Cyber Army … Don’t intrusion Chinese website about the United States authorities to intervene the internal affairs of Iran’s response … This is a warning!”
A message on the iribu.ir website read: “The People’s Republic of China long live … Oppose splitting Safeguarding unity.”
Other targets reportedly included the website of a national wrestling team.
“They seem to be choosing them randomly – the content is in Farsi, so they don’t necessarily know what they are,” said Anti.
Although the message left on Twitter by the Iranian Cyber Army suggested it was sympathetic to the government, experts told Reuters last month that it was unlikely Tehran was involved.
Comment by sinocircle— January 13, 2010 #
BEIJING — Baidu Inc., China’s top search engine, was unavailable early Tuesday in China, and some Internet users reported seeing signs of an attack on the site by Iranian hackers.
Users reported seeing a banner for the “Iranian Cyber Army,” complete with an Iranian flag and a shattered Star of David, when they tried to access Baidu’s home page Tuesday.
View Full Image
Screen shot of the Baidu Web site on Tuesday morning
Marten Strassburg, a Swedish citizen living in Beijing, said he saw the site defaced with the Iranian group’s logos around 10:30 a.m. Beijing time. Mr. Strassburg and dozens of others posted screen shots of Baidu’s defaced site online.
As of 11:30 a.m., Baidu was still unavailable, with users seeing just an error message when they attempted to visit the site.
Baidu spokeswoman Cynthia He declined to immediately comment, saying the company is looking into the matter.
Last month, a group also calling itself the Iranian Cyber Army attacked Twitter, temporarily disrupting access to U.S.-based social networking site. The Iranian Cyber Army also appeared to have attacked an Iranian reformist Web site.
Digits
Twitter, Iranian Reformer Sites Hacked by ‘Iranian Cyber Army’
It was unclear why the group, which appears to sympathize with the Iranian government rather than anti-Tehran protesters, would attack Baidu.
Twitter has famously become a tool for Iranian dissidents to communicate and organize, and Chinese citizens began expressing sympathy with Iranian protesters last month through Twitter. Though Twitter is blocked in China, these Internet users have found ways around the limits through use of proxy servers outside of China.
But the Internet free speech advocates on Twitter are not fans of Baidu, which is seen as in good standing with Beijing. Foreign Web sites such as Google Inc. have been periodically blocked by the Chinese government for linking to pornographic or politically sensitive material, but Baidu has not had similar problems with Chinese censors.
Write to Aaron Back at aaron.back@dowjones.com
Comment by sinocircle— January 13, 2010 #
A more technical article suggesting baidu.com was hacked at the .com level and not at Baidu itself.
Quoted from: http://praetorianprefect.com/archives/2010/01/baidu-com-the-latest-victim-of-iranian-cyberarmy/
Baidu.com the Latest Victim of Iranian CyberArmy
BY PREFECT ⋅ JANUARY 11, 2010 ⋅ PRINT THIS POST ⋅ POST A COMMENT
FILED UNDER DEFACEMENT, HACKTIVISM
A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that indexes over 740 million web pages for search and provides music and video content. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.
Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.
The IP address baidu.com pointed to temporarily routed to 174.121.0.7 in Houston Texas, to a site hosted via ISP ThePlanet.com. The site normally shows hosts in Beijing, China, hosted by China Unicom (example: 202.108.22.5 is back up now).
The site as it appeared for about three hours today:
The site served up at baidu.com earlier.
Baidu.com as it normally appears:
Baidu.com, normally.
Two other domain names are referenced on the page: cyberarmyofiran.com and ircarmy.com. The first, IP 70.35.29.162, shows hosting by Netfirms in Markham Ontario in Canada. The second, ircarmy.com, is at IP 69.147.83.188, showing hosting by Yahoo in Sunnyvalue, California.
This is the same group responsible for the attacks on Twitter and mowjcamp.org last month, Twitter having gone down for a while the evening of December 17th. During the attack on Twitter a bad actor used an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.
DNS Services
At the time that Baidu.com was being redirected, we were seeing different SOA and NS results for the Baidu.com domain name. A simple script was used to look at this data:
$ sh dnsbaidu.com
[baidu.com]———————-
—[resolver.qwest.net]—
—[SOA]—
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
—[NS]—
ns3.baidu.com.
ns2.baidu.com.
dns.baidu.com.
ns4.baidu.com.
—[4.2.2.2]—
—[SOA]—
—[NS]—
—[4.2.2.3]—
—[SOA]—
dns204.a.register.com. root.register.com. 2010011108 28800 7200 604800 14400
—[NS]—
dns050.c.register.com.
dns204.a.register.com.
dns010.d.register.com.
dns190.b.register.com.
—[8.8.8.8]—
—[SOA]—
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
—[NS]—
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.
—[8.8.4.4]—
—[SOA]—
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
—[NS]—
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.
—[208.67.222.222]—
—[SOA]—
ns1.coolhandle.com. server.pronethosting.net. 2010011101 86400 7200 3600000 86400
—[NS]—
ns2.coolhandle.com.
ns1.coolhandle.com.
We were seeing even more interesting results when using a DNS tool called Squishywishywoo. The results are below and I have attached the full output in: baidu-dnscheck.pdf
50.0% of queries will be returned by 174.121.0.2 (ns2303.hostgator.com)
baidu.com. 86400 IN SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. (
2010011202 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
86400 ) ; Minimum TTL
50.0% of queries will be returned by 174.121.0.3 (ns2304.hostgator.com)
baidu.com. 86400 IN SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. (
2010011202 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
86400 ) ; Minimum TTL
Out of all the DNS results, only Google (8.8.8.8) and Qwest (resolver.qwest.net) return correct answers for Baidu’s NS records. The others, OpenDNS (208.67.222.222), Level 3 (4.2.2.3 & 4.2.2.2), and Squishywishywoo returned incorrect results.
We are able to check for the correct expected results by looking at the WHOIS data provided by register.com. Register.com is the service that the Baidu.com domain was registered with and is the definitive authority for that domain.
definitive
Registrant:
Domain Discreet
ATTN: baidu.com
Rua Dr. Brito Camara, n 20, 1
Funchal, Madeira 9000-039
PT
Phone: 1-902-7495331
Email: 036f37850a14115101201f9483195f63@domaindiscreet.com
Registrar Name….: Register.com
Registrar Whois…: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: baidu.com
Created on…………..: 1999-10-11
Expires on…………..: 2014-10-11
Administrative Contact:
Domain Discreet
ATTN: baidu.com
Rua Dr. Brito Camara, n 20, 1
Funchal, Madeira 9000-039
PT
Phone: 1-902-7495331
Email: 036f376a0a14115100199c0316d64ebb@domaindiscreet.com
Technical Contact:
Domain Discreet
ATTN: baidu.com
Rua Dr. Brito Camara, n 20, 1
Funchal, Madeira 9000-039
PT
Phone: 1-902-7495331
Email: 036f37860a14115101c8a6d69ced14a8@domaindiscreet.com
DNS Servers:
ns3.baidu.com
ns2.baidu.com
ns4.baidu.com
dns.baidu.com
In directly querying the listed authoritative servers with the dig command, we are able to display the data that the rest of the world should be seeing.
dig @220.181.37.10 baidu.com SOA (~/tmp/new)
; <> DiG 9.6.0-APPLE-P2 <> @220.181.37.10 baidu.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;baidu.com. IN SOA
;; ANSWER SECTION:
baidu.com. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
;; AUTHORITY SECTION:
baidu.com. 86411 IN NS dns.baidu.com.
baidu.com. 86411 IN NS ns2.baidu.com.
baidu.com. 86411 IN NS ns3.baidu.com.
baidu.com. 86411 IN NS ns4.baidu.com.
;; ADDITIONAL SECTION:
dns.baidu.com. 300 IN A 202.108.22.220
ns2.baidu.com. 300 IN A 61.135.165.235
ns3.baidu.com. 300 IN A 220.181.37.10
ns4.baidu.com. 300 IN A 220.181.38.10
;; Query time: 308 msec
;; SERVER: 220.181.37.10£53(220.181.37.10)
;; WHEN: Tue Jan 12 00:17:03 2010
;; MSG SIZE rcvd: 202
The key thing to note is the SOA serial number 2010011101. When a recursive DNS server such as Google’s 8.8.8.8 receives a request for Baidu.com and it does not have that data in its DNS cache, it will proceed down the DNS hierarchy to find the authoritative DNS server for the domain and request the needed data. The authoritative DNS server will return the requested data and the current serial number, which in this case is 2010011101. The recursive DNS server will return the cached results, but after a timeout period it will go back to the authoritative DNS server, send the serial number it has in the cache, and ask if it needs an update on the date. The authoritative DNS server will then compare the request and internal number to see if there needs to be an update.
The issue with this comes into play in our data above; OpenDNS’s results show an SOA serial number of 2010011101, which is correct, but also contain the wrong NS server entries for Baidu.com. When OpenDNS goes and asks the authoritative DNS server if it needs to update data it will be told no due to the matching SOA records; thus, it will continue returning bad DNS data until the authoritative DNS server changes the serial number.
With this data in mind, we would ascertain that the changes were initially made at .com level, most likely through Register.com to point the Baidu.com domain name to DNS servers controlled by the attackers. When we dug into DNS records, Register’s were corrected, but the cached bad records out on the other DNS servers still existed. While we can’t confirm this with certainty, the data found in DNS would lead to this conclusion.
A recommendation to Baidu.com’s DNS administrators is to update their serial numbers to something higher than 2010011202 as that has been the highest serial number we have see on any DNS server. This will force cached servers to update their records to the proper entries.
Translation of the Text
Google’s translations remain imperfect, but the text is Persian and translates roughly to:
Cyber Iran to protest the military intervention of foreign countries and Israel in the internal affairs of our country and distribute false news and Divisive has been established.
A similar sentiment to the messages present in the attack on Twitter.
Baidu
The name Baidu comes from an 800 year old Chinese poem written during the Song Dynasty. The poem compares the search for retreating beauty amid chaotic glamor with the search for one’s dream impeded by life’s obstacles. And we have ‘Google’.
Finally
While pressured to intervene as a response to Iran’s nuclear ambitions, China has for the most part stayed clear of speaking out on the subject. Businesses in China have served as intermediaries for products imported from Iran that are then shipped to U.S. firms, in violation of U.S. economic sanctions against Iran. For these reasons, it is unclear how attacking a Chinese search engine fits into the strategy of this hacktivist pro-Iranian government group.
Comment by sinocircle— January 13, 2010 #
Old news but puts some of this in context:
Hackers Attack Ahmadinejad’s Web site
By ROBERT MACKEY
Updated | 10:10 a.m. On Monday night in San Francisco an information technology consultant named Austin Heap reported on his blog that the official Web site of Iran’s president, Ahmadinejad.ir, had been attacked by hackers.
Mr. Heap, who has been active in the effort to provide Iranians with tools to circumvent Internet censorship this year, wrote that “someone seems to have had their way with Ahmadinejad’s web servers.” Although the Web site appears to be down now, Mr. Heap wrote that, for several hours, people trying to access it were redirected to a page which contained the following message:
Dear God, In 2009 you took my favorite singer – Michael Jackson, my favorite actress – Farrah Fawcett, my favorite actor – Patrick Swayze, my favorite voice – Neda.
Please, please, don’t forget my favorite politician – Ahmadinejad and my favorite dictator – Khamenei
in the year 2010. Thank you.
A screen shot of the Web page with that message is available on Mr. Heap’s blog (click on the first illustration there for an enlarged view of it).
In a later update, Mr. Heap wrote that the site was subsequently inaccessible, and speculated that it was “either intentionally pulled or … is simply being overloaded since so many people are looking to grab a peek at the hack.”
The apparent attack comes three weeks after a group calling itself the “Iranian Cyber Army” launched an attack that briefly redirected users of Twitter to a site that displayed a message that seemed to support Iran’s government. That message read, in part:
U.S.A. Think They Controlling And Managing Internet By Their Access, But They Don’t, We Control And Manage Internet By Our Power.
Mr. Heap founded the Censorship Research Center and explained on its Web site that the group’s technological activism was motivated by a desire to help Iranians use the Web despite the efforts of Iran’s government to prevent them from doing so:
We believe everyone, everywhere should be able to freely communicate, and we began work that would guarantee this right for the people of Iran.
The system we designed, “Haystack,” provides completely uncensored access. There are no more Facebook blocks, no more government warning pages when trying to read BBC news—just unfiltered Internet. It’s an improvement to the state of the art in anti-censorship technology. It’s a necessary one too: Iran’s filtering is quite advanced, and it’s one of two nations to censor the Internet using domestic hardware and software. (The other is China.) Imagine a postal service that opens each piece of mail and uses machine learning algorithms to detect subversive correspondence. That’s Iranian digital censorship.
This kind of filtering is called “deep packet inspection.” It allows the government to block, read, and even change messages sent over the Internet, including emails and tweets. Iran purchased equipment from Western companies like Nokia for this censorship, and is rapidly deploying homegrown equivalents over which it can exert more control. Iran’s filtering capabilities allow it to intercept and even change online communications – emails, voice calls, even tweets.
Still, we were able to identify weaknesses in Iran’s approach and develop countermeasures.
On Tuesday, Iran’s state-run Press TV reported that the country’s intelligence ministry has barred citizens from cooperating with a list of 60 European and American foundations it blames for orchestrating the protests that followed last June’s disputed presidential election in Iran. The ministry also claimed that media organizations like the BBC and Voice of America that have broadcast video uploaded to the Web showing demonstrations back into Iran via satellite are doing so as part of a plot to overthrow Iran’s government.
Comment by sinocircle— January 13, 2010 #