Jun 02 2008

Sunwear hacks metasploit.com?

Published by at 1:07 pm under Hacker Hunting,US attacks

Heike and I have reported on the well-known Chinese hacker sunwear several times:

People’s Armed Police Officer Hacking?

Sunwear Picture Proclaimed a Joke

Chinese Hacker…repeat offender!

Top Chinese Veteran Hackers

sunwear vs. metasploit.com

A forum posting on eviloctal from sunwear shows a screenshot of a hacked metasploit.com with his mark:  “hacked by sunwear ! just for fun”.  Here is a link to the eviloctal.com forum posting.  Thanks to sunbelt for the newsNo way to tell if it was a hoax or real just yet. The metasploit site seems to be normal at the time of this writing.  The forum post was made by sunwear on June 3.

Update (June 3 2003hrs GMT): One reader commented that the site was indeed hacked and that he was redirected to the evil octal forums.

Update from HD at Metasploit: The issue was that someone hacked a machine on the same subnet and was ARP spoofing the gateway. The metasploit.com machines were not compromised, but all HTTP requests coming into the ISP network were passed through a MITM defacer that inserted that HTML. Once I as able to set a static ARP entry and notify the ISP, the problem was resolved. So, to make things clear, the metasploit.com servers were not hacked, the ISP’s network was.

9 responses so far

9 Responses to “Sunwear hacks metasploit.com?”

  1. mpg31337on 02 Jun 2008 at 2:53 pm

    Hello,

    This isn’t a hoax. I went there to download the framework this morning and both metasploit.com and metasploit3.com would took me to the text page screen shotted above. After about 5 seconds I was then sent to the eviloctal forums. I went back a while later and it seemed “fixed”, but then started happening again about 5 minutes after. Not sure if I was being load-balanced between hacked and not-hacked servers, or if they were re-compromised.

  2. jumperon 02 Jun 2008 at 3:14 pm

    Thanks for the update! Hopefully we’ll hear an official report of what happened soon.

  3. HDon 02 Jun 2008 at 7:12 pm

    The issue was that someone hacked a machine on the same subnet and was ARP spoofing the gateway. The metasploit.com machines were not compromised, but all HTTP requests coming into the ISP network were passed through a MITM defacer that inserted that HTML. Once I as able to set a static ARP entry and notify the ISP, the problem was resolved. So, to make things clear, the metasploit.com servers were not hacked, the ISP’s network was.

  4. heheon 02 Jun 2008 at 8:10 pm

    https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=26882&mode=thread&order=0&thold=0

  5. Heikeon 02 Jun 2008 at 8:53 pm

    HD,

    I have pasted you comment into the main body of the post. Thank you for clearing that up!

  6. superpigon 03 Jun 2008 at 2:35 am

    他在中国是个很牛B的人物.
    对windows kernel 相当了解. 很牛X的撒~

  7. superpigon 03 Jun 2008 at 2:36 am

    look here
    http://47347.qzone.qq.com

    discuz.phpwind.janker.topsec.
    sunwear all hacked

  8. superpigon 03 Jun 2008 at 2:38 am

    http://photo.qq.com/portal/albumMain.shtml?%23uin=47347#uin=47347&albumid=302394660

    he’s photo
    very cool
    handsome

  9. anonon 08 Jun 2008 at 7:03 am

    http://h4ck-y0u.org/viewtopic.php?t=48861