Early this morning, while logging into my mail, I got mails from Tamasa, a petites annonces web site which I customized for a client, while I was doing freelance in uni and which was launched on 31 July 2007.
The wrong deed…
Below, the hacked home page…
The email read as follows:
Content-type: text/html; charset=iso-8859-1
Much better than tamasa.mu is the new Defi --- Annonces website: www.aaa.info/annonces
You can upload 5 pictures and even videos and other documents along with your text ad!
With more than 600 users and 350 ads in their system already and at least a dozen new ads appearing everyday, I'm sure you'll love it. :)
This email was supposed to be sent by Avish at 2:54 am and had been sent to all registered users of Tamasa.
I immediately concluded that the site Tamasa had been hacked!
Just at that moment, the true Avish contacted me to tell me about a comment which was left on his blog, where someone claimed that Avish was the one who hacked this site.
Read more about this on his blog...
How the wrong was done?
Immediately, we started our own investigations.
Avish found out that the comment on his blog was added at around 330am (29Dec2008) and by someone who was behind a proxy, which masked his IP and thus making it difficult to find his country.
From my analysis of the situation, I found out that the hacker had been able to log into the administration of the web site and
- Changed the logo
- Changed Keywords
- Modified the font settings so that the site was unreadable.
- Send the mail at around 2:54am(29Dec2008) using the web site’s admin message center.
Tracking down the hacker…
Then, I had a great idea!
I looked into the source code of the email which was sent and guess what?
haha, you Hacker, you have been PWNED!
An IP Address was attached by the script which sent the Mail and the Hacker did not care to hide behind a proxy while hacking the admin section 🙂
Extract of the email header:
To: email@example.com Subject: New petites annonces website X-PHP-Script: tamasa.mu/admin/sendmessageall.php for 196.20.165.xxx From: firstname.lastname@example.org Reply-To: email@example.com
So, dear Mr Hacker, or I should call you dear mr “hacker“, you don’t believe me?
Go on, if you happen to be registered on tamasa, check the header of the email which you sent yourself…
Any other tamasa member who received this mail can try this out too!
Legal actions to be taken…
Since the beginning, I was in direct contact with my client, and with this proof, we are going to file a case to the police. Legal actions will definitely be taken, and the owner of this IP address will be soon traced out by the police.
If everything goes alright, our dear hacker may be accused of “Misuse of IT, or illegal breaking into a system”.
Site is back online…
I restored the site back, putting everything back to their initial state and at the same time, protecting the site from any future attacks.
The reasons behind this attack
In fact, this attack was not done to cause damage to the Tamasa Portal, but instead to create conflicts among us, bloggers. Tamasa was a means to get myself into war with Avish, and fortunately, we are not so stupids to believe anything without analysing properly.
Since months, someone is deliberately spamming our blogs, specially since the time where bloggers have been against the administrator of the web site of a newspaper group.
Effectively, this administrator is the shame of the mauritian net.
Some of the latest innovations reported were
- Implementation of a 404 error page, strangely similar to our blogger Sailesh, just a few days after the latter blogged about this.
- Sharing of illegal Rapidshare links in the Official Forum of the newspaper.
I dont really know if all these are legal in the web site of a newspaper whose articles are mostly related to “palabs of everyday”.
Yesterday itself, someone entered my google chat, and sent me the following message :
As you can see, there is definitely someone who is after the mauritian bloggers…
Some days before, even Dakshinee had to reply to someone, read it here.
As someone said in Avish’s post, this is an opportunity to make Tamasa some free ads and make it grow even more!
Affaire à suivre…
Cheers for the Mauritius Bloggers and thanks to all of them for their support this morning!
It shall be quite easy to locate the real culprit of this attack from that ip mistake he did. What is really annoying is that he even tried to guess my email address and send an email from that…
But one point to note… there are not 3 ‘i’ in my email address…. the number of “i” was wrongly guessed lol.
By the way…I wonder if we should called the one who did that a hacker…. a CRACKER would have been the right word for such a stupid act.
Anyway Yashvin we are together and thats what matter the most. Wonderful meeting de criz ce matin lol 😛 Di the in frais tou lol.
About the 404 page.. yea Sailesh showed me his 404 page well before he even posted that on his blog. We were chatting on msn when he showed that to me… Hellbound… we were having visits on expliknu.com from defimedia so i went to have a look at their forum… i mistype the address and landed on the 404 page of defimedia.. Thats when i noticed they had COPIED the 404 page from a blogger.
Shame on them.
Well well this seems to be some1 who is rather jealous. Well as you said, pa kav ene hacker sa paski li pa pi hide der proxy…maybe some1 u know 🙂 nice article.
I guess the “hacker” just crossed the line. Hope he’s caught soon. 🙂
Anyway my advice is for all Mauritians is to secure/backup their sites so as to avoid being stabbed in the back.
Well, you can’t actually use the 404 page argument. It’s just a long time no see page that has always existed. Eg. This 2006 post on a forum or this newly posted reissue.
On the other hand, its true that site attacks can be sued by judiciary means and it costs a lot. This only shows that the people behind the “cracking” are just low and have no imagination. What bothers me though is how did those guy get into your admin backoffice?
It’s a real shame that some Mauritians think like this, particularly after you and Avish have done so much for the Mauritian blogging community.
This guy is just some n00b without manners who thinks that he is the best and I hope that he will get caught as soon as possible.
Well, congrats to you guys and really hope you get to pin him or her down..
It’s a shame how people use such a wonderful tool like technology to do such shameful acts..
Worse the language with which he started the ‘chat’ with you is simply gross…
This individual needs to be banned from all technolgy use and his ID should be sent to all agencies and companies where he’ll be seeking work, for he might do worse there…
Actually you should let his true ID be known for it might be helpful for us all…
The Newspaper which is probably involved(surely) here is a real pain in the neck and so is its forum. I am registered there and the only people who are the most active there are probably the journalists of the newspaper itself. How pathetic! And that forum is like a bazaar where every single gossips becomes the talk of the town of there little global village.
They are probably well aware of the fact that bloggers nowadays are *THE* independent source of information nowadays and that no one needs the third grade of supposedly independent source of information now because with one single click we can know what is happening in Mauritius through blogs and that the articles will be a good one and not a one sided one and that many people will voice out their opinion.
Bloggers rules and That newspaper sucks BIG TIME!
[re=29124]Web Design Bureau[/re]: Well, thats the question which I haven’t been able to reply till now :S
But he will have to reply to this when he is caught haha!
btw, the 404 page is only to show that he is using things that we bloggers have blogged about, just to improve his site!
@Everyone : Thanks for ur support!
“As someone said in Avish’s post, this is an opportunity to make Tamasa some free ads and make it grow even more!”
Indeed 😀 I din noe bout this site prior to this event. Gonna visit it now!! 😛
@that hacker(if he is reading this now)
wow u’ve impressed me!! noe why ? coz I noe very few ppl who wud fucked themselves on their own…u made ur day urself 😀 happy new year 09 hehe wish u a painful year in ur arse with lots a back and forth to courts.
@yashvin, btw mo truve to nuvo cV(party photos) la kuman sai baba 😀 TRR!!
” PETER :
@yashvin, btw mo truve to nuvo cV(party photos) la kuman sai baba TRR!!”
Best end of year joke!!! TVR! Enfin! lol!!!
@Peter n Reena : Zotte p prend nissa r mwa :(, taler mo blog contre zotte hihi!
@Reena : TVR!
kind of sucks to have your page defaced.
as for the ip, nothing says it is the hacker… that machine could have well been a compromised machine which the intruder tunnelled through?
infact… there’s no real way of identifying him with so less information.
and stop calling that hacking…. that;s lame :p
anywayz, i would rather put the blame on the maintainer…. [if the dude who defaced did warn for bugs first], else blame the world!
Hackers are warned!!
btw, your stuffs are not hosted in mauritius, so i wonder what would be your legal options?
@Selven : Well, if you had asked me what are the measures I took to prevent future attacks, I would have replied you.
lol, but your question is related to legal issues, pas trop mo domaine 🙂
Thnks for passing by, and for ur help 😉
This guy/girl who did this is definitely jealous of the bloggers and wants to promote the newspaper.
shame on him/her!!!!
You’re copying others stuffs, shame shame on you if you are reading this!!
lol… well.. all of u said it all.. 🙂
i hope to hear this on Radio plus soon… 😛
I have found out how he came to enter the admin part of the site!
He injected a SQL script into the URL of a specific page of the site.
With this query, the username n password is automatically displayed on the page itself. This was a known vulnerability of the system, and as immediate action, I deleted the page itself and changed all passwords again.
So, now we got
(1) how he did it
(2) when he did it
(3) why he did it
We only miss He, but that wont be long since tomorrow the owner of Tamasa is going to write a complaint at the Police Station 🙂
Hope mr the hacker will be able to sleep peacefully!
eta hacker man amiser dancer chanter ki to alle fatigue la tete ek ban connerie hack site…. mank role do ta??? ein?????
yashvin et son ami va te peter la guele aster….. sa to content??? ousa amiser dancer chanter?? choose aster … enfin tro tar pu choose.
I forgot to mention 1 thing, always use different passwords on forums/sonial networking sites etc.. since tamasa.mu has been hacked, there’s a possibility to dump all sql records saved containing username and passwords 🙂
Sa hacker la kumen dir terrorist, dan so lacage mem ek so ban frere mem li p fer kumsa..
Ena ene sega mauritian: “essayer change mo p dir essayer change abe to pu trouver to pu truver!!!” Ene ti message pu sa hacker la..
A suggestion for you guys, pa tro ecrire tou ban steps/actions zot p prend conte la hacker la sinon li pu pli alert et li capv invente enta zistoire… msn is the best place to discuss these matters.. on the blog just post your reactions.. Happy New Year guys.. Enjoys.. to that hacker also!!! 😛
Well owned. Good for you idiots. And well done Mr Hacker! 🙂
following…:p my comments will come later 😉
@Jose : We will soon know who is the idiot lol…. hahaha!
@Jose: Thank you for the COMPLIMENT Jose and sure we will soon know who is the hacker and then we will personally tell him WELL DONE while he go to celebrate his new year 2009 in the beautiful structures of the police station among very well mannered mens in uniforms who will narrate poems to the hacker.
@Yashvin: I did some search about that sql injection and read more about it when you told me about this yesterday. For sure this was a very serious weakness of the script itself. Hope all steps have been taken to prevent any such CRACKER attack in the future.
Cracker….. seem the best word for that guy/girl who did that as if we call him a hacker it will be like insulting the real word and art.
I agree with Avish..stop calling the piece of #$%* hacker…
A hacker is a genius and his work is flawless…also a hacker has some dignity and will not stoop to low acts and foul language….
Hackers do not harm others..enfin..bane bon hackers 😛
He should be called someof the names he himself used when chatting with you Yashvin..it suits him better…
but one thing is sure…mauricien p fer progrer mai kuma 1 kuyon car lin fer tou pou ki kapav trace li… 😛
Mo assiser mo guette tamasa…Bien interessant sa… 😛
ya we support u…
nice blog u have…
If the newspaper had nothing to do with the hacking of that site then they shouldn’t have deleted the article( Tamasa.mu was hacked) on their forum!
A lame method again used by them!
BA! [bonne annee] mne plien dir sa mwa au moin ici kav copy paste 😀 best wishes…don`t blame me if you see this message again in other blogs 😛
Arret servi mot ‘hacker’, servi ‘cracker’ plitot.
The hacker’s still at large and the morons are still crying?? Hahahahaah.. Wait for the next hack you big-ass bitches. That’s all you can do anyway. Unless your mommies make a deal with him to let you off the hook. 😉
Well, that person if sued in Mauritius will obviously be found guilty based on the Computer Misuse and Cyber-Crime Act 2003 and ICT Act 2001. But I do not know on which parts though 😛
this can also be a case of harassment. Has the case already been reported?
@Joyshan : Weps, already reported…
Le crime ne paie pas. Ses carottes sont cuites.
LOL. Wai bel tamasa!
What’s happening with the police case? Any news on that channel?
Not yet, the police hasn’t contacted me yet for more info.
From firstname.lastname@example.org Sun Dec 28 21:57:20 2008
Authentication-Results: mta106.mail.ird.yahoo.com from=gmail.com; domainkeys=neutral (no sig)
Received: from 188.8.131.52 (EHLO fwd2.hosts.co.uk) (184.108.40.206) by mta106.mail.ird.yahoo.com with SMTP; Sun, 28 Dec 2008 21:21:16 +0000
Received: from [220.127.116.11] (helo=web7.hsphere.us) by fwd2.hosts.co.uk with esmtp (Exim 4.66) (envelope-from ) id 1LH34W-0001J1-MC for email@example.com (not disclosed); Sun, 28 Dec 2008 21:21:16 +0000
Received: from web7.hsphere.us (web7 [127.0.0.1]) by web7.hsphere.us (8.13.1/8.13.1) with ESMTP id mBSLvK0u006681 for ; Sun, 28 Dec 2008 15:57:20 -0600
Received: (from httpd@localhost) by web7.hsphere.us (8.13.1/8.13.1/Submit) id mBSLvKjV006678; Sun, 28 Dec 2008 15:57:20 -0600
Date: Sun, 28 Dec 2008 15:57:20 -0600
To: firstname.lastname@example.org (not disclosed)
Subject: New petites annonces website!
From: email@example.com Add sender to Contacts
This was an email that we have received on our server and this is related to the blog here.
I had a quick look at one of the source to trace him back on our server and he also uses another gmail account sometimes called : sorry for the language:
firstname.lastname@example.org , also use email@example.com – The hacker here may recognise himself here.
That guy is known to have hacked into several yahoo email addresses and as he sent that email to firstname.lastname@example.org, an email address not easy obtained and belonging to us, which was on his email database at work, I can say he works for a newspaper but I do not want to mention any name here.
The last time he try to hack into an email address of ours we send him a bullet back which we think he has not learned from.
I can say he is not a hacker but a complete idiot that works for an idiot newspaper.
From email@example.com Tue Sep 23 12:18:49 2008
Authentication-Results: mta167.mail.ukl.yahoo.com from=tamasa.mu; domainkeys=neutral (no sig)
Received: from 18.104.22.168 (EHLO fwd2.hosts.co.uk) (22.214.171.124) by mta167.mail.ukl.yahoo.com with SMTP; Tue, 23 Sep 2008 11:55:22 +0000
Received: from [126.96.36.199] (helo=web7.hsphere.us) by fwd2.hosts.co.uk with esmtp (Exim 4.66) (envelope-from ) id 1Ki6UE-0003tx-MF for firstname.lastname@example.org (not disclosed); Tue, 23 Sep 2008 12:55:22 +0100
Received: from web7.hsphere.us (web7 [127.0.0.1]) by web7.hsphere.us (8.13.1/8.13.1) with ESMTP id m8NCInRJ006913 for ; Tue, 23 Sep 2008 07:18:49 -0500
Received: (from httpd@localhost) by web7.hsphere.us (8.13.1/8.13.1/Submit) id m8NCInBc006912; Tue, 23 Sep 2008 07:18:49 -0500
Date: Tue, 23 Sep 2008 07:18:49 -0500
From: email@example.com Add sender to Contacts
The Email Content was only: test
Was it a genuine message from tamasa.mu ??? I do not think so
No, it is again someone who wants to play with mauritian bloggers…
I will get in touch with you today through mail for more details…
Hey Mike Steven Young.. I’ve got something for you.. Take that email and stuff it in your ass! You think you were hacked by a kid?? Even if we were kids, you’d never have been able to stop us.. because we’re much more intelligent than a faggot like you! Remember… you can run, but you cannot hide… we’re watching you…
Owned big-time! 🙂
Yes Keshav you are very very intelligent and you are so clever and know everything from A to Z on hacking that why you will never be caught ???? Hahahahahahaa
esh is part of your name isn’t it?? and how is your friend in Woolwich doing ???? There is also a friend of yours in big shit this week!!!!!
Why you need to watch us when you are more intelligent?
We do not hide like you do.
We’ll soon find out who’s in big, big shit. 😉
The Intelligent Guy is becoming more and more intelligent now. Yes one of the best we have seen in the whole world. Glory to him? Hahahahhahahaah
Just passing by from afrigator, nice tracking lolz !!
Neways, mite b the guy is jus in a cyber cafer or a university computer room.. which is why he didnt bother hiding the ip !! ..
oh yea remembered the time now.. it was at nite .. soo no univs..
prolly a cyber cafer … or some internet hotspots.. definitely untraceable.. :S
Would be really nice to know who it is tho .. since i am also a mauritian blogger. what measures can be taken to prevent those attacks ???
@ashfaq : Welcome here! I have already added you into my feeds.
As for the hacker, it can’t be a cyber café since the attack was made at 3am.
How to prevent attacks?
I would advise everyone to google for the vulnerabilities of the system you use.
Its a wise way to know what are the weak points, and if you can then eliminate them.
Thnks for ur visit.