Jun 02 2008

Sunwear hacks metasploit.com?

Published by jumper at 1:07 pm under Hacker Hunting, US attacks

Heike and I have reported on the well-known Chinese hacker sunwear several times:

People’s Armed Police Officer Hacking?

Sunwear Picture Proclaimed a Joke

Chinese Hacker…repeat offender!

Top Chinese Veteran Hackers

sunwear vs. metasploit.com

A forum posting on eviloctal from sunwear shows a screenshot of a hacked metasploit.com with his mark:  “hacked by sunwear ! just for fun”.  Here is a link to the eviloctal.com forum posting.  Thanks to sunbelt for the newsNo way to tell if it was a hoax or real just yet. The metasploit site seems to be normal at the time of this writing.  The forum post was made by sunwear on June 3.

Update (June 3 2003hrs GMT): One reader commented that the site was indeed hacked and that he was redirected to the evil octal forums.

Update from HD at Metasploit: The issue was that someone hacked a machine on the same subnet and was ARP spoofing the gateway. The metasploit.com machines were not compromised, but all HTTP requests coming into the ISP network were passed through a MITM defacer that inserted that HTML. Once I as able to set a static ARP entry and notify the ISP, the problem was resolved. So, to make things clear, the metasploit.com servers were not hacked, the ISP’s network was.

Share/Save/Bookmark

Tags: , ,

9 Responses to “Sunwear hacks metasploit.com?”

  1. # mpg31337on 02 Jun 2008 at 2:53 pm

    Hello,

    This isn’t a hoax. I went there to download the framework this morning and both metasploit.com and metasploit3.com would took me to the text page screen shotted above. After about 5 seconds I was then sent to the eviloctal forums. I went back a while later and it seemed “fixed”, but then started happening again about 5 minutes after. Not sure if I was being load-balanced between hacked and not-hacked servers, or if they were re-compromised.

  2. # jumperon 02 Jun 2008 at 3:14 pm

    Thanks for the update! Hopefully we’ll hear an official report of what happened soon.

  3. # HDon 02 Jun 2008 at 7:12 pm

    The issue was that someone hacked a machine on the same subnet and was ARP spoofing the gateway. The metasploit.com machines were not compromised, but all HTTP requests coming into the ISP network were passed through a MITM defacer that inserted that HTML. Once I as able to set a static ARP entry and notify the ISP, the problem was resolved. So, to make things clear, the metasploit.com servers were not hacked, the ISP’s network was.

  4. # heheon 02 Jun 2008 at 8:10 pm

    https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=26882&mode=thread&order=0&thold=0

  5. # Heikeon 02 Jun 2008 at 8:53 pm

    HD,

    I have pasted you comment into the main body of the post. Thank you for clearing that up!

  6. # superpigon 03 Jun 2008 at 2:35 am

    他在中国是个很牛B的人物.
    对windows kernel 相当了解. 很牛X的撒~

  7. # superpigon 03 Jun 2008 at 2:36 am

    look here
    http://47347.qzone.qq.com

    discuz.phpwind.janker.topsec.
    sunwear all hacked

  8. # superpigon 03 Jun 2008 at 2:38 am

    http://photo.qq.com/portal/albumMain.shtml?%23uin=47347#uin=47347&albumid=302394660

    he’s photo
    very cool
    handsome

  9. # anonon 08 Jun 2008 at 7:03 am

    http://h4ck-y0u.org/viewtopic.php?t=48861

Trackback URI | Comments RSS

Leave a Reply