2010-02-08

tcs.com was NOT hacked...

[Disclaimer: I'm an employee of TCS, though naturally I'm posting this in my personal capacity]

tcs.com was NOT hacked yesterday.  What did happen was that the DNS records that supply the IP were reset to some other IP.

Whether that was done by actually hacking tracom/netsol or by social engineering a valid change request I do not know.

I know the site was fine because going through the internal DNS got me the correct IP address and the correct content.

I believe the problem started sometime before 1am IST [this is a wild guess, from other symptoms; don't ask!], and was resolved around noon or so [this guess is more accurate because I was semi-actively monitoring it].

In both instances, it would have taken a few hours for the bad data to expire from DNS caches.  Depending on who your DNS provider is, you may have seen it "come back" at different times.  If you were running your own DNS, you could have purged your DNS cache manually and would know more accurately when it came back.

Regards,

Sitaram

1 comment:

Anonymous said...

I have heard that some DNS servers are *still* returning bad data.

Never mind...

To get the right IP, run this:

dig +trace www.tcs.com

You should get something like this (see end of comment).

Notice the line

www.tcs.com. 600 IN A 216.15.200.140

near the end? That's the correct address.

If you're not seeing that, your first suspect should be your DNS provider, not TCS's DNS provider :-) At least for a few days!

; <<>> DiG 9.6.0-P1 <<>> +trace www.tcs.com

[chopped due to comment length limit]

www.tcs.com. 600 IN A 216.15.200.140
tcs.com. 600 IN NS ns1.tracom.net.
tcs.com. 600 IN NS ns2.tracom.net.
tcs.com. 600 IN NS ns3.tcs.com.
tcs.com. 600 IN NS ns4.tcs.com.
tcs.com. 600 IN NS ns5.tcs.com.
;; Received 225 bytes from 216.15.130.71#53(ns1.tracom.net) in 335 ms

22:54:26 sita-lt:~ $