Early this morning, while logging into my mail, I got mails from Tamasa, a petites annonces web site which I customized for a client, while I was doing freelance in uni and which was launched on 31 July 2007.
The wrong deed…
Below, the hacked home page…
The email read as follows:
Content-type: text/html; charset=iso-8859-1
Much better than tamasa.mu is the new Defi --- Annonces website: www.aaa.info/annonces
You can upload 5 pictures and even videos and other documents along with your text ad!
With more than 600 users and 350 ads in their system already and at least a dozen new ads appearing everyday, I'm sure you'll love it. :)
This email was supposed to be sent by Avish at 2:54 am and had been sent to all registered users of Tamasa.
I immediately concluded that the site Tamasa had been hacked!
Just at that moment, the true Avish contacted me to tell me about a comment which was left on his blog, where someone claimed that Avish was the one who hacked this site.
How the wrong was done?
Immediately, we started our own investigations.
Avish found out that the comment on his blog was added at around 330am (29Dec2008) and by someone who was behind a proxy, which masked his IP and thus making it difficult to find his country.
From my analysis of the situation, I found out that the hacker had been able to log into the administration of the web site and
- Changed the logo
- Changed Keywords
- Modified the font settings so that the site was unreadable.
- Send the mail at around 2:54am(29Dec2008) using the web site’s admin message center.
Tracking down the hacker…
Then, I had a great idea!
I looked into the source code of the email which was sent and guess what?
haha, you Hacker, you have been PWNED!
An IP Address was attached by the script which sent the Mail and the Hacker did not care to hide behind a proxy while hacking the admin section 🙂
Extract of the email header:
To: email@example.com Subject: New petites annonces website X-PHP-Script: tamasa.mu/admin/sendmessageall.php for 196.20.165.xxx From: firstname.lastname@example.org Reply-To: email@example.com
So, dear Mr Hacker, or I should call you dear mr “hacker“, you don’t believe me?
Go on, if you happen to be registered on tamasa, check the header of the email which you sent yourself…
Any other tamasa member who received this mail can try this out too!
Legal actions to be taken…
Since the beginning, I was in direct contact with my client, and with this proof, we are going to file a case to the police. Legal actions will definitely be taken, and the owner of this IP address will be soon traced out by the police.
If everything goes alright, our dear hacker may be accused of “Misuse of IT, or illegal breaking into a system”.
Site is back online…
I restored the site back, putting everything back to their initial state and at the same time, protecting the site from any future attacks.
The reasons behind this attack
In fact, this attack was not done to cause damage to the Tamasa Portal, but instead to create conflicts among us, bloggers. Tamasa was a means to get myself into war with Avish, and fortunately, we are not so stupids to believe anything without analysing properly.
Since months, someone is deliberately spamming our blogs, specially since the time where bloggers have been against the administrator of the web site of a newspaper group.
Effectively, this administrator is the shame of the mauritian net.
Some of the latest innovations reported were
- Implementation of a 404 error page, strangely similar to our blogger Sailesh, just a few days after the latter blogged about this.
- Sharing of illegal Rapidshare links in the Official Forum of the newspaper.
I dont really know if all these are legal in the web site of a newspaper whose articles are mostly related to “palabs of everyday”.
Yesterday itself, someone entered my google chat, and sent me the following message :
As you can see, there is definitely someone who is after the mauritian bloggers…
Some days before, even Dakshinee had to reply to someone, read it here.
As someone said in Avish’s post, this is an opportunity to make Tamasa some free ads and make it grow even more!
Affaire à suivre…
Cheers for the Mauritius Bloggers and thanks to all of them for their support this morning!