The systems of Tajikistan’s domain registrar (domain.tj) have been hacked. The attacker, an Iranian hacker who uses the online moniker Mr.XHat, has taken the opportunity to “deface” a number of high-profile domains.
According to The Hacker News, Mr.XHat has changed the DNS records for the Tajikistan domains of Google, Twitter, Amazon and Yahoo to redirect the websites’ visitors to a defacement page.
The hacker claims he had exploited a Directory Traversal vulnerability to gain access to the domain’s registrar administration panel. He also says he accessed the MySQL database containing customer credentials.
He gained access to the google.com.tj, yahoo.com.tj, twitter.com.tj and amazon.com.tj accounts after changing their administrative email addresses to his own address. Then, he simply reset the passwords of the targeted accounts.
At the time of writing, the Google, Yahoo, Amazon and Twitter domains have been restored. I’ve sent out an email to the Tajikistan domain registrar in hopes that the organization can provide more details on the attack. This post will be updated if the registrar responds to my inquiry.