Metasploit Project's site hijacked through ARP poisoning

Metasploit Project's site hijacked through ARP poisoning

Summary: Metasploit, the open-source platform for developing, testing, and using exploit code, got its official project site briefly hijacked on Monday by a well known member of the Chinese underground who left the following message offering a new zero day exploit for sale - "hacked by sunwear! just for fun!

SHARE:

Metasploit, the open-source platform for developing, testing, and using exploit code, got its official project site briefly hijackedMetasploit ARP Poisoning on Monday by a well known member of the Chinese underground who left the following message offering a new zero day exploit for sale - "hacked by sunwear! just for fun! ring04h come on :) ps:sell 0day, my qq 47347 .call me sunwear".  The appearance of the message and the redirection of Metasploit.com to the Chinese forum appears to have been done though ARP poisoning on the ISP level according to H D Moore :

"Problem solved. Someone is ARP poisoning the IP address of the router on which the www.metasploit.com server resides. I hardcoded an ARP entry for the real router and that seems to solve the MITM issue. It doesn't help the other 250 servers on that network, but thats an issue for the ISP to resolve."

The Chinese hackers then distributed an image of what Metasploit.com looked like in the time of the ARP poisoning on the forum where the site used to redirect its visitors to, as you can also see for yourself. Offering to sale a zero day exploit by hijacking Metasploit's official site is surreal enough not to consider the possibility that a real zero day exploit could have been served if they were to fully abuse the man-in-the-middle attack potential.

Topics: Malware, Networking, Open Source, Security, Servers

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Time to hold the Chinese's feet to the fire on this

    If Beijing is serious about being a respected member of the world community, it should suppress hacking as much as other countries at the first tier of world power do.

    Instead, the evidence is good that Beijing incorporates amateur hackers as part of its cyberwarfare capability and encourages them to perform exploits.

    This is one of many reasons that we should impose tariffs on Chinese goods which unfairly compete against equivalent domestic goods (through subsidies, lack of equivalent environmental or worker safety laws, or use of prison labor). As long as China is allowed to commit aggression against us by any means without cost, they will continue to do so.
    jlafitte
  • There Is No Honor Among Thieves (nt)

    NT
    MichP
  • RE: Metasploit Project's site hijacked through ARP poisoning

    Actually, they owned the ARP entry that resolv to metasploit websites IP.

    I would say that you must not trust binaries that have been downloaded during the attack and you should check hashes now.
    If they owned the ARP entry, they could have mirrored the website, and compromised binaries.

    Also setting static ARP in hist host might not be a solution, as the entry must be statically set in the ISP router to be really trusted???

    Regards

    /dz-secure.com
    /cO2
    co2
  • Shoot hackers on sight! (nt)

    (nt)
    bjbrock
  • RE: Metasploit Project's site hijacked through ARP poisoning

    this is beautiful....this is a good tool that people should be playing with, especially IT personnel...its stupid to say shoot hackers on site, hackers push the boundaries of what is possible. there is no putting this genie back in the bottle, people must learn the tools of the bad guys, patch their systems, or switch to the other OS.
    waldenasta