Romanian Google, Yahoo Users Redirected to Defacement Page

Earlier today, visitors of web pages associated with Google and Yahoo search were instead being redirected to a defacement page.

Preliminary investigation reveals that neither Google, nor Yahoo servers have been hacked or otherwise compromised. Instead, the attackers have somehow changed the authoritative DNS records for the affected domains (which are maintained by registrar RoTLD) to point the domain names to a web server in the Netherlands that also probably got hacked.

This appears to be the same MO as that of the hackers who have poisoned the Pakistani registrar’s database a couple of days ago. However, while the motivation was strictly political – based on the message they left on the defaced page – in Pakistan, the attackers did not provide any clue about the reason they attacked the Romanian services. The troubled state of society in the Middle East has given birth to a number of responses from digital activist groups, that end up attacking popular websites and exposing innocent users as collateral damage

If you have visited the affected websites while they were compromised you are strongly advised to flush your DNS cache by typing ‘ipconfig /flushdns’ in Windows, ‘rndc flushname google.ro’ in Linux or Unix and ‘dscacheutil –flushcache’ in Mac OS X.


It appears that The Algerian Hacker Group, an organization made of almost 200 different teams of hackers is also targeting DNS systems of other national TLDs, as the Romanian hack is the fourth incident after Ireland, Pakistan and Israel – all incidents that took place in just one month.

Today’s attack managed to poison DNS cache servers of all internet service providers, including the Google DNS ( and as these ISPs cache the DNS resolution sent by RoTLD to speed up the resolution process when other similar requests are made .

Some ISPs have already flushed their caches, others are still serving rogue resolutions. We are continuously scanning the DNS zones for the Romanian internet and contacting ISPs individually for mitigating the crisis in the shortest time.

2-nd update : RoTLD confirms breach.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as director of threat research. When he is not documenting sophisticated strains of malware or planning removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment