Sunday, December 28, 2008

accesskenya webmail site hacked


Accesskenya webmail site seemed hacked since 26th this December. There is a snapshot included here, but the question is, was the box rooted. If you check the other site like openview.co.ke, also seemed was defaced.

Lisa

3 comments:

fyodor said...

Nice! Time to have these lazy admins wake up!

lisa said...

Yes, it looks like the hacker had access to the box remote shell. These are some of the commands he sent me.

ifconfig

eth0 Link encap:Ethernet HWaddr 00:15:60:57:37:73
inet addr:196.200.20.252 Bcast:196.200.20.255 Mask:255.255.255.248
inet6 addr: fe80::215:60ff:fe57:3773/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1571912 errors:0 dropped:0 overruns:0 frame:0
TX packets:188 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:127809252 (121.8 MiB) TX bytes:18290 (17.8 KiB)
Interrupt:209

eth1 Link encap:Ethernet HWaddr 00:15:60:57:37:72
inet addr:196.200.16.222 Bcast:196.200.16.255 Mask:255.255.255.0
inet6 addr: fe80::215:60ff:fe57:3772/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:40623976 errors:0 dropped:0 overruns:0 frame:0
TX packets:47127731 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3141988518 (2.9 GiB) TX bytes:4105894868 (3.8 GiB)
Interrupt:217

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:534196 errors:0 dropped:0 overruns:0 frame:0
TX packets:534196 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:463772748 (442.2 MiB) TX bytes:463772748 (442.2 MiB)


uname -a

Linux mirror.accesskenya.com 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux

chukjonia said...

Most of the admins don't even look into how the box was rooted, they just reach out for the backup site pages and reload them again.