Industry News

Romanian Versions of Google, Yahoo Homepages Defaced by Algerian Hacker

Earlier today, the web pages associated with Google and Yahoo search pages have been hijacked to a defacement page. The page was up for more than one hour but is now fixed.

Preliminary investigation reveals that neither Google, nor Yahoo servers have been hacked or otherwise compromised. Instead, the attackers have changed the DNS records for the domains to point the domain names to a server in the Netherlands that also probably got hacked.

This appear to be the work of the same hackers who have breached into Pakistan’s most popular web services a couple of days ago. However, while the motivation was strictly political in Pakistan, the attackers did not provide any clue about the reason they attacked the Romanian services. The troubled state of society in the Middle East has given birth to a number of responses from digital activist groups, that end up attacking popular websites and dragging innocent users as collateral damage.

If you have visited the affected websites while they were compromised you are strongly advised to flush your DNS cache by typing ‘ipconfig /flushdns’ in Windows, ‘rndc flushname’ in Linux or Unix and ‘dscacheutil –flushcache’ in Mac OS X.


It appears that the rogue IP has been somehow snuck into the RoTLD DNS system, which lead it to be announced to all caching DNS servers of ISPs. What is extremely important is the fact that the IP was also cached by Google’s DNS  service ( and Some Internet service providers have already renewed their DNS cache for, while others are still serving the poisoned results.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment
  • .ro local time 11.58, accessing with ip from Luxembourg, still look down

    “By MCA-CRB

    Algerian Hacker…”

    with .ro ip, all is ok

  • Hey there,

    The poisoning takes place at the ISP DNS cache level now. RoTLD returns the genuine IP. Let’s wait till the ISPs flush their cached entries.

  • Any news about the ROTLD database being hacked yesterday?
    It is my understanding that they lost the (clear-text) passwords for .ro domains administration and they had to reset them

    As we speak, the ROTLD website is down (specifically


    • Nope, nothing new from RNC yet, though we tried to contact them several times. Not sure about what happened, but if what you’re saying is true, things would be really messed up. I think they should really issue an official statement to clear the suspense :)

  • I’m guessing they have hotter potatoes on their plates right now, than to release an official statement – maybe they’re just trying to contain&analyze the attack.

    The passwords reset could be just a preventive action, if they are not sure of the nature (and extent) of the breach… one thing is sure: yesterday several .ro domains could not be accessible on website (due to incorrect login credentials) and today the site is down for 6-7h already…

    May I say that ICI Bucuresti could at least place a “we’re working on this page” sign, so as we are not “welcomed” by a 404 :)


    • OK, I can confirm, all of my domains administered via RNC/ROTLD have new reset passwords

      Anyways… it’s rather impressive how an Algerian hacker could support the traffic for,,, etc for that long just to host a defaced page…

      • It’s official, ToTLD issued a press release yesterday announcing the breach. More details at

  • That’s no surprise, everyone knew that rotld was hacked for 2-3 days now (except they didn’t bother telling us)
    Still, they’re kinda contradicting themselves: they admit to an attack and data alteration for ns info, but they still affirm that “the DNS servers were not affected” ?!

    One more runt:
    I believe this is the only country in the world where the card payment is done via:
    – sending via fax (?!) a form with all the details (name, address, id info, cc number, expiration date, everything)
    – a copy of the credit card, both sides !

    For everyone interested (ro language):

    That’s nice, isn’t it, I sleep sooo good at night when I think about all my credit card and personal info laying somewhere in a fax machine…


  • I think they meant that the root server was not jacked in any way, as the flaw was present at the domains control panel. If the failure was with the root NS, the attacker would have had access to all .ro domains, regardless of registrar, as opposed to the current situation, where they seized control over the domains registered through RoTLD (or at least, that’s what I understood).

    The payment mechanism is really worthy of the 20th century, but probably saved them from a major incident now, if they had credit card data stored in the vulnerable database :)

    I hope they have that fax machine in a “no access” area and that those faxes are properly stored or at least, properly disposed of.

    • And now, just to be sure, they’ve stop the website altogether
      Maybe for maintenance, maybe for re-resetting the passwords, maybe for cleanup, who knows…

      PS: Again with the 404, grrr

  • I think they’re upgrading CentOS on the web server. The URL returns 403 and 404 arbitrarily :) Well’ at least we know that there’s somebody working hard in there.

  • worst case scenario:
    all users that access .ro domain redirected to a client side exploit > few mills of people transformed in zombie

    “mca-crb” was a nice hacker
    after few clicks:
    5,536 of which 1,177 single ip and 4,359 mass defacements [source] in less then 2 years…

    btw, this was a virus, not a a deface:- :”very seriously face”:
    “Specialistii de la InfoMedia sunt foart eaproape de a va da remediul pentru virusul algerian “” care a afectat pagina”

  • I agree, the worst case scenario would have had quite an impact. However, let’s be thankful that the hacker was either not interested in harming regular users, or did not have the necessary infrastructure to run active content to ~one mil concurrent users. It’s one thing to serve a GIF / PNG / whatever type of image he served and it’s another thing to run a database server / PHP / Apache and still withstand one million connections.

    MCA-CRB has quite some history in defacements. And, speaking about defacements, we all know this was a “virus”. It was running between the chair and the keyboard :).