Twitter hacked? Not really, only Twitter DNS records compromised

Updated by on Jan 22, 2010 in Security | 1 comment

I before post ‘Twitter Hacked by Iranian Cyber Army’, but actually just Twitter DNS records was hacked. I think even twitter.com server headers and tracepath to servers simply prove this, because they are completely different normally when hacked.

Hacked twitter.com headers:

HTTP/1.1 200 OK
Date: Fri, 18 Dec 2009 06:42:08 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635
Last-Modified: Fri, 18 Dec 2009 06:21:13 GMT
ETag: "90c06a-717-47afabf13c840"
Accept-Ranges: bytes
Content-Length: 1815
Connection: close
Content-Type: text/html

Original twitter.com headers:

HTTP/1.1 200 OK
Date: Fri, 18 Dec 2009 08:25:54 GMT
Server: hi
X-Transaction: 1261124754-68110-699
Status: 200 OK
ETag: "592480ad9f6feea20711b47bc5e64dbb"
Last-Modified: Fri, 18 Dec 2009 08:25:54 GMT
X-Runtime: 0.02009
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Content-Length: 20957
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Expires: Tue, 31 Mar 1981 05:00:00 GMT
X-Revision: DEV
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CToRdHJhbnNfcHJvbXB0MDoMY3NyZl9pZCIlNzVhYTY3YTZlNjMxNTky%250AMjk5NzkzNGZiMTIxNDg0ZWQ6B2lkIiVkOGE0MzJkYTFjZWQzNGUzMWM1ZThk%250AMThlMTUwN2VlOCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6%250AOkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--379506ebd11ed1403680db265ae97bf4c3768b7b; domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close

Hacked twitter.com tracepath

tracepath http://www.twitter.com
...
7: lax009-phx007-832-cr1.phx007.internap.net (66.79.147.182) 40.415ms asymm 8
8: cr2-cr1.phx007.internap.net (66.79.147.174) 46.740ms asymm 9
9: dal005-phx007-833-cr1.dal005.internap.net (66.79.147.177) 54.298ms asymm 7
10: dal005-tor003-1160-cr1.tor003.pnap.internap.net (66.79.147.230) 86.102ms asymm 7
11: tor001-tor003-769-core1.tor001.internap.net (66.79.153.34) 98.458ms asymm 9
12: border1.te9-1-bbnet2.tor001.pnap.net (70.42.24.196) 94.665ms asymm 9
13: netfirms-1.border1.tor001.pnap.net (70.42.26.54) 104.351ms asymm 10

Working twitter.com tracepath

tracepath twitter.com
...
 7:  ae-2.r22.londen03.uk.bb.gin.ntt.net (129.250.2.77)    33.762ms asymm 12 
 8:  as-0.r20.nycmny01.us.bb.gin.ntt.net (129.250.3.254)  105.484ms asymm 12 
 9:  ae-0.r21.nycmny01.us.bb.gin.ntt.net (129.250.2.26)   105.688ms asymm 12 
10:  as-0.r20.chcgil09.us.bb.gin.ntt.net (129.250.6.13)   124.634ms asymm 12 
11:  ae-0.r21.chcgil09.us.bb.gin.ntt.net (129.250.3.98)   122.439ms asymm 12 
12:  as-5.r20.snjsca04.us.bb.gin.ntt.net (129.250.3.77)   185.225ms 
13:  xe-1-1-0.r20.mlpsca01.us.bb.gin.ntt.net (129.250.5.61) 186.349ms asymm 14 
14:  mg-1.c20.mlpsca01.us.da.verio.net (129.250.28.81)    189.346ms 
15:  128.241.122.101 (128.241.122.101)                    189.184ms 
16:  128.241.122.101 (128.241.122.101)                    189.468ms !H
Follow If Not True Then False Updates!

Related posts:

  1. Twitter Hacked by Iranian Cyber Army
  2. PHP: Calculate Real Differences Between Two Dates or Timestamps
  3. Linux Encrypt Files/Decrypt Files – GPG Interactive/Non Interactive Modes

One Comment

  1. Palmitao / July 14, 2010

    Sorry for doble posts! i think here is more propitiate

    I love your blog, has better tutorials help!
    I have a question regarding DNS in 2008 to 2009 I was a noob in PC Games and paid for a cheat site FPSCheats.com where at the time he was hacked via DNS, just know that all the people trying to enter the site was redirected to another site. has a video on YouTube where the guy did and show it.

    I would love to learn just for knowledge, I am a user CentOS 5.5 on my college professor taught How could we addicionar another ip in DNS and one sub domain, but nothing deep! if you could teach would be grateful for the rest of the days of life!

    have a great day

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">

feedback
Bear