Phony Order Faxed to Registrar Leads to Metasploit Defacement

Metasploit creator HD Moore confirms that a spoofed fax order sent to its registrar led to the defacement of the Metasploit and Rapid7 homepages.

A pro-Palestine hacker collective went old-school in its takedown of the Metasploit and Rapid7 websites today.

Metasploit creator and HD Moore confirmed via Twitter that was hacked via a spoofed DNS change request sent via fax to its registrar,

“Hacking like it’s 1964,” Moore tweeted a short time ago.

The hacking group known as KDMS hijacked DNS records and replaced the two sites’ respective homepages with a note claiming responsibility for this attack and similar hacks against other security companies.

“You are one of our targets,” the group wrote. “Therefore, we are here.” The group also left a politically charged statement regarding Palestine liberation.

The DNS hijacking attack was resolved within an hour, Moore said.

“We have taken action to address the issue and both sites are now locked down,” Rapid7 said in a statement. “We apologize for the service disruption, and do not anticipate any further implications for our users and customers at this time. We will keep everyone posted as we learn more, and let the community know if any action is needed.”

Moore cautioned in a another set of Twitter messages that this group has the ability to change any domain registered with He also confirmed the Metasploit and Rapid7 DNS settings temporarily pointed to 74[.]53[.]46[.]114.

Earlier this week, KDMS claimed responsibility for a similar attack on another registrar Network Solutions. The group was able to change the DNS records managed by Network Solutions for a number of security companies and redirect traffic to a hacker-controlled domain.

Leaseweb, a large hosting provider, disclosed on Monday that it detected malicious activity on its network and hackers managed to redirect traffic from to another domain its DNS records were changed.

“No internal systems were compromised,” Leaseweb wrote on its blog on Monday. “One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack.”

Initially, it was believed the Leaseweb hack was related to an exploit of a WHMcs vulnerability, but Leaseweb said that was not the case.

“Right now, it appears the hijackers obtained the domain administrator password and used that information to access the registrar,” Leaseweb said.

This article was updated at 11 a.m. ET with a statement from Rapid7.

Suggested articles