There were probably a few odd text messages whizzing around in San Francisco at 11 PM on Thursday night about a company called Dynect: a group calling itself the “Iranian Cyber Army” had hacked its servers and changed only a tiny line of text. A company most people haven’t heard of powers the websites that most people use, including Facebook, LinkedIn, Flickr, YouTube and Vimeo. They even have a catchy motto: “Uptime is the Bottom Line.”

Dynect offers a service called managed DNS hosting. When you type in enduringamerica.com on your browser, a request is sent out to a DNS server. Essentially a yellow pages for the Internet, it translates lettered website names into an IP address, like phone numbers for computers. The DNS server responds to your browser and says, “enduringamerica.com’s IP address is 80.82.120.200,” then your browser “calls” that IP.

Twitter uses Dynect’s managed DNS service, so when you visit Twitter’s website, your browser first asks Dynect where to find Twitter. Instead of it pointing to the correct location, the hackers changed it so Dyn would tell users around the world that Twitter was now hosted on a server in Provo, Utah run by a company called Bluehost. The first official message verifying the hack came in under 140 characters from Twitter saying that their “DNS records were temporarily compromised.” It turns out Twitter’s own account at Dynect was used against them.

For a handful of frantic hours, when someone went to Twitter’s site, they were instead greeted with a message in Farsi. The message was loud and clear:

O Hossein, peace be upon him.

If the leader orders us to, we will attack and if he wants us to, we will lose our heads. If he wants us to have patience and wait, we shall sit down and put up with it.

At the same time, the hackers had also lined up a way to hack one of the more prolific opposition websites, Mowj-e-Sabz (mowjcamp.org), redirecting visitors to the same page as Twitter users.

It’s a bold move by a group that people know virtually nothing about. It seems unlikely that the Government of Iran would attack a private company in America and even less likely that they’d post what equates to a ransom note with a pretty graphic on it. Sure, government hacking goes on all the time, and the US has even been caught with it’s hands in some of Iran’s most private servers, but that didn’t come to light until 3 years after it happened.

Octavia Nasr, CNN’s senior editor for Middle East affairs, said “the hackers are definitely Shiites, as indicated by the ‘Ya Hussein’ chant printed on their banner.”

Given the giant influx in traffic to their servers from millions of tweeters, one would expect Bluehost to notice and fix the problem at lighting speed. But when asked why they hadn’t responded faster, while the hack was still underway, Bluehost declined. They have since removed the account that was used to host the attackers message. Twitter also declined to comment, saying, “What is on the blog is our official statement.”

Many outlets reported that Twitter itself was hacked. That’s not true. According to Twitter, their DNS was compromised: that means their account with Dynect was compromised. Mowj-e-Sabz, on the other hand, has had their domain name itself hijacked which will likely take some time to sort out.

*EXCLUSIVE* Update from Bluehost

Bluehost is a leading Web hosting company that provides services to nearly 2 million Web sites. Bluehost discovered that Twitter.com had been the victim of a DNS compromise and, further, that the attackers had redirected some of the Twitter traffic to an account hosted on Bluehost servers. This customer account on BlueHost was setup using a stolen identity and credit card, as determined by the Bluehost verification department. The Bluehost abuse department immediately terminated this account. Contact was made by Bluehost to law enforcement agents to assist in all ongoing investigations.

DNS Change Logs

The kind folks at Internet Identity passed along the DNS change records for twitter.com:

2009-12-17 22:01 (PST) 2009-12-18 06:01 UTC www.twitter.com, twitter.com A Records pointed to 74.217.128.160

2009-12-17 22:14 (PST) 2009-12-18 06:14:20 UTC
twitter.com A Records pointed to 69.59.28.85

2009-12-17 22:24 (PST) 2009-12-17 06:24 UTC
twitter.com A Records pointed to 66.147.242.88

2009-12-17 23:11 (PST) 2009-12-18 07:11 UTC
A Records corrected and pointing back to allowed range for resolution

As you can see, they tried three different hosts before sticking with Bluehost. First it was NetFirms, then it was CaroNet, and finally Bluehost.

Official Twitter Update

Biz just posted more details on last night’s attack:

Domain Name System or DNS is an Internet protocol used to translate IP addresses into domain names so instead of typing in a long string of numbers we can enter urls like www.twitter.com into a browser to visit our favorite web sites. Last night, DNS settings for the Twitter web site were hijacked. From 9:46pm to 11pm PST, approximately 80% of Traffic to Twitter.com was redirected to other web sites. We tweeted, blogged, and updated our status page last night.

During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, not aimed at users we don’t believe any accounts were compromised. If you’re concerned that your account could have been affected in some way, feel free to contact us, accountsafe [at] twitter.com.

(This article also appeared at Enduring America.)