Slashdot Mirror
Themes.org Cracked
sammoth writes: "themes.org was hacked [CT:Cracked] and
replaced with a rather vulgar logo. The intruder makes some bold statements about the security, or lack there of, on several sites. " Of course I'm still in Tokyo right now, so your guess about what's happening is just as good as mine. And 5000ms ping times to the U.S. East Coast sure makes posting this story tricky ;) Apparently the cracker managed to get into SourceForge and Apache.org too ... and he posted user accounts and passwords on t.o along with a rant that I haven't seen. Update: 05/31 02:40 PM by T : Here's an informative explanation on apache.org of the break-in on that site.
>Attrition is dead. Maybe /. could become the new home for orphaned defacements.
Slashdot IS an orphaned defacement.
X is forwarded by default via SSH on several Linux distributions. If this is the case then, once remote server is compomised, any command can be executet on client machine by compromised server.
/etc/ssh/ssh_config )
then if you just login to compromised
remote server no command may be executed
on your client, but if you want to forward
to forward X you will need to
use explicit option -X
If you disable X forwarding by default (edit
ssh -X user@host.name
I'd like to know why microsoft.com hasn't been cracked or DDoSed yet. After all, its official that everyone, especially the geeks capable of such cracks, hate Microsoft. You'd think it would get attacked every day.
fluffy@#blackpanthers
I know this guy. I remain anonymous to avoid being nailed.
Do you think this guy has something related to the author of Fluffy the PK Chicken? Well, I didn't say he IS the guy, you choose what to believe.
The game was distributed with a trojan, and I got a copy from his site and infected - it was a fun game to play anyway.
It was a shame; it's such a great game...and I think the Digital Tome who hired him may not realize he used the game to distribute trojan.
The other end is an SSH server, so he replaced that with something very trivial to maybe just log the decrypted passwords to a file. All in all, the weak link here was the stupid ISP. If a hacker compromises SSH then it's a rollercoaster ride since your passwords are out in the open.
Maybe it's time for tripwire?
Let's see: Illiterate, anonymous script kiddie who's figured out how to sniff for passwords and how to talk big on Web forums. I know I'd believe him implicitly. Wouldn't you?
And if you do, I'll be glad to spin for you a few tall tales of my own.
Funny, According to http://www.netcraft.com/survey/, the sites are listed as follows... Top 50 Most requrested sites in percentages: IIS 20.64% Apache 62.55% Market Share for Top servers all domains: Apache 65% (approx) IIS 25% (approx) Maybe im reading this wrong if so, please let me know. I mean, with the top 50 sites running apache 62% of the time, one would think that apache is the general standard. Thanks
get a new sig dammit! you're making me waste my mod points.
the -redundant- was mine. But then I posted without logging out, b/c I felt bad about it (and thus undid the moderation)
had I read your reply before my last set of points on that account expired, I wouldn't have felt so bad. Anyway I'll probably have some more this week; for some reason I get them almost every friday(?) which means I only have a few hours to use them (I have better things to do on weekends than slashdot)
Anyway I like sigs, in general, and thus don't want to eliminate all of them. However, your sig and a few others annoy me to no end.
It looks like they were running 1.3.12 on Linux. I believe that is an old edition.
link
these sites were 0wned because of passwords collected by a trojanned ssh client. mandatory access control lists can keep things like that from happening, but then you're dependant on the system you're using to be secure enough to type your password on. once an admin password is found it is often trivial to revert the state of such monitoring applications and control the machine with the full priveledges that the administrator with the stolen password would have.
monitoring what actually happens on the servers is the only sure way to make sure nothing is misused. real-time tools like cylantsecure that output information based on what actually happens on the machine will let you see whether everything that the administrator does is legit. it's sorta like if you straced all the activity of the system you would actually have the data to know if an administrator logged in and trojanned services, however, there's too much to monitor by hand so i would recommend a tool based on measurement of the system's execution.
currently, to really go all out monitoring you'd have a team of admins that watch every time a file is modified and every time a process is run or opens a port, or changes permission levels, but there's way too much data to handle and it's far too expensive to have such a trained team. right now you just install the tools you need and pray for the best, and have enough constant data so you can tell when something gets fucked up.
So what? People who use binaries get what they deserve. I don't really understand why binaries of Free Software are even offered. When they are, they are generally offered as an unsupported convenience option only for those who might be lacking a compiler or the intelligence to read the README and build the thing.
Rule #1: Unplug the ethernet cable, not the power. It's hard to do a post-mortem if your filesystem is crashed.
:)
Rule #2: don't give any indication that you're aware the box has been rooted before you engage rule #1.
Rule #3: Don't trust anything that might have gone through that box for a reasonable period of time. Re-password, check other machines, reinstall software, etc. Good luck.
Rule #4: Run OpenBSD and don't get rooted.
Since VALinux is involved, it might also explain why anonymous ftp to ftp.valinux.com isn't working either...
Whenever a site gets cracked, post an article on slashdot about it (even if you're half globe away with 5000 ms ping delay) so they get slashdotted too.
What do you think the chances are that what dudle is doing with Debian will work automatically with the default install of OpenBSD? IIRC the default install runs the following list of services: inetd. I think most people probably want more services running on their server than that. Also the problem with sourceforge (and probably t.o too, I haven't looked) was bad password/shared password with another system/password transmitted cleartext, which BSD certainly won't fix.
The original author was not stating that BSD wasn't more secure out of the box than Debian; he was saying that their security was similar enough that having a competent admin on a Debian server is more secure than an incompetent admin on a BSD server running the same services. OpenBSD well be the most secure Unix on the face of the earth, but no system is so secure that it solves ignorance.
Hi, any pointers to this "forensic analysis floppy"? I happen to have a recently hacked drive... :-( And it's not a very cool coaster.
YES!
By rewarding the hacker and putting a little more egg on the faces of both the site owners and the authors of the software (I'm generalizing here) you are essentially forcing them to fix it.
This is what makes the software world go round. Both MS type monopolies and the 'little' guys like VA, apache and Themes.org
We as users and them as providers are better off in the long run because of it.
- Xabbu - Sysop: clockworkorangebbs.org
- Tradewars - LoRD - FidoNet and much more!
- Jimbob
Well, at least someone is doing their job properly
Yes, but someone else clearly wasn't. What on earth was anyone doing running OpenSSH 2.2 in the middle of May? Were they doing something else so as to eliminate the known remote root exploit prior to OpenSSH 2.3.0? (said exploit having been discovered in February) If not, then they were almost asking for trouble.
This is the part that puzzles me. I'm having trouble reconciling the use of such good security practices (nightly audits that are more than just window dressing) with making the almost newbie mistake of not updating known vulnerable software. What happened here?
I wonder if there is any way to confirm what this guy is claiming?
Did he seriously have full access to these systems for the past 5 months?
I don't know what is the best answer to this.
I kind of wondered if this wasn't in part why attrition.org finally shut down. While they were helping to publicize problems, they also sort of encouraged the problems by giving them publicity.
I doubt Microsoft even cares...
But on a positive note, at least it will keep the Linux zealots quiet for a week or two about how superior they think Open Source is.
Well of course you choose the statistics to fit the argument.
My point was essentionally, what offers a juicier target to most hackers? Little known "Hi my name is Joe" sites, or various commercial ops?
As such in the grand scheme of things, there are far more IIS websites running commercial ops than there are Apache, so it makes since they would be a more likely target.
It all depends on so many factors. I also suspect the script kiddies tend to be more familiar with Windows.
Yes it is interesting...
Notice how I said SSL survey?
You missed that part, didn't you?
You don't think Microsoft performs offsite backups?
The point I made was that the higher percentage of SSL enabled IIS sites provided a much more attractive attack target.
Calling the point irrelevant has no bearing on the discussion. It may be irrelevant to you but that is only because you are either incapable or unwilling to understand the point.
Yes a large number of sites have been defaced in the past couple of months do the the worms on Linux and Solaris.
/. geek seems to be incapable of understanding such issues.
Honestly I think this discussion is rather pointless in this forum. We're not talking about the quality of software, but rather sociological issues. The typical
As I pointed out numerous posts ago, financial motivation is only one small part of it.
The primary goal to defacements is to have it noticed. Clearly "Hi my name is Bob" website which is likely unvisited and unmaintained is not going to get much notice.
Defacing a commercial website which obtains many hits does get noticed. The vast majority of these use SSL.
In the past several months there have been a number of worms in the Linux and Solaris worlds which have gone through and defaced probably thousands of websites. Now in these cases, the worm is non-discrimanatory and attacks whatever it finds is open. In this situation, your understanding is correct.
As far as implying your stupid, I have no need to do that. You keep responding.
Well I'm not sure what you mean by small percentage.
Microsoft has around 50% of the commercial web server space according to the Netcraft SSL survey. That's a fairly large chunk considering the next competitor is Apache with 30%.
Apache is certainly used for a lot of hosted web sites... you know the routine "Hi my name is Joe and this is my website!"
Now one could probably argue that it's easier to knock off the small websites. After all they probably aren't maintained frequently.
But on the other hand, they also aren't accessed frequently so who would notice?
Much more fun to hit the high profile sites. Especially if there are some juicy credit card numbers to be had because of poor site design.
Bill Gates arrested? Never...
The difference is that on the Internet people seem to be much more willing to do bad things. Therefore, you have to be totally up on security. Let's look at it from this perspective:
In other areas of life, security isn't that big of a deal. It's easy to break into cars, it's easy to break into stores. I can deface just about any building in town if I wanted to. However, fewer people consider this allowable behavior, so you don't need the same kind of security to prevent this.
In the same way, you could probably murder entire buildings worth of people simply by putting dangerous chemicals in their air-conditioning system, because most air-conditioning systems aren't well-guarded at all. However, most people have more of a respect for life than that. On the internet, there isn't much respect for anything. So, you can either accept that you're going to get hacked, or spend all day keeping up with updates.
Engineering and the Ultimate
This might be it.
...because that way we need to hire more sysadmins.
How many times have I seen a standard response to a hack story on Slashdot that goes something on the lines of: it's easy to a secure a box you spend all day reading bugtraq and then all night reading through the source for insecure constructs.
That's not to single out Linux (even the *BSDs are only secure if you set thm up right).
The Open Source model provides a much better response to exploits that closed source - once an exploit is found there's usually a patch in short order. But that rarely stops the original intrusion and relies on the aforementioned Bugtraq watching.
-- need more time?
Attrition is dead. Maybe /. could become the new home for orphaned defacements.
If tits were wings it'd be flying around.
I think he is talking about his supposed hack of akamai. That code is proprietary (their special sauce or whatever they call it when you try and ask them how it works) and the life blood of that company.
--"Karma is justice without the satisfaction"
We try to keep While(1).org fairly secure. Here is a general overview of our security process. It should be helpful for many novice UNIX admins.
Good lord, why not? Themes.org and Sourceforge aren't exactly conveying information of vital importance to anyone. Their cracking isn't going to affect the markets, political battles, holy wars, sickness, or starvation anywhere in the world.
Why not reward the hacker by posting their conquest on Slashdot? Especially since they've proved their talent in such a benign way. And, of course, they've done the community a service by exposing vunerable security holes... which will hopefully be patched before some site of actual significance is hacked, sending the world into economic depression.
(I sure wish someone had cracked the Florida electoral system beforehand...)
I know a site that's never been hacked.
The Vatican. Ofcourse, they - like Amazon - use Alpha.
Pan
(Maybe that says something...)
I said no... but I missed and it came out yes.
I have to agree with you there. My background is in biometric authentication (of the non-weak variety).
Cryptograph authentication does indeed improove security vastly. As long as the password / private key is SAFE then you will have no problems. The use of smart cards that include their own host processor is the way to go.
Eliminating passwords would save the world a whole lot of grief, IMHO.
Pan
I said no... but I missed and it came out yes.
Is it really apache.org's etc... fault if a trojan ssh on another isp's box was able to capture a password?
I'd say it's apache.org's fault. The people with access should be running a local copy of ssh, rather than trusting an ISP's version of it. Not just because some hacker might compromise the ISP, but maybe the ISP has a nosy employee or is in competition with apache.org, and one of their own people decides to install a keystroke logger into their version of ssh.
Along the same lines, they should also be connecting directly to apache.org's sshd, not to some sshd along the way and then think it's safe to ssh to apache.org. And naturally, their password for apache.org should be totally unique from any other passwords they're using. Then there's always going to be some people that you give access to who take shortcuts and don't follow the proper procedures, and you've got to deal with them somehow — because not too many people want to (or should) go around canning their own staff, but you have to make them realize how one seemingly little thing can screw things up for everybody else.
There's a lot more to security than just making sure you're patched against the latest exploits, and yeah, it sucks and is a pain in the ass, but your incentive is to look at the tons of sites getting hacked these days and make a conscious decision that you'd rather deal with the pain than to be the next dotpoint on the great defaced sites mirror in the sky.
Cheers,
Amazon being 0wned?
Thats news to me, and I am in a group that would know.
--
Linux O Muerte!
Do you believe him? Somebody cracked it, but why believe that it was this guy?
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Consider this to be an official offer of bounty. Hack goatse.cx, post fluffy bunnies and a public key. I, for one, will contribute to whoever pulls it off. GO FOR IT!
-- Michael Chermside
PS: This offer is not actually intended to violate any laws.
Breakins like this are why the immutable bit was introduced in 4.4BSD. If you set your important executables immutable (ls, ps, ssh, etc) then even if someone does root your box, they can't change those without taking the machine down to single-user mode and changing it there, which in most cases can't be done without physical console access. This trick works for logfiles too; an immutable logfile can be appended to but not deleted or rewritten.
---
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
The site's "shell server" was compromised May 22 after a SourceForge employee logged on to an outside Internet service provider that had already been taken over by the intruder, said Pat McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge remotely, the intruder captured the password.
Well some of that is true, I mean I did trojan ssh but I did it about 5 months a go, so kudos to the admin you sir are awesome..
"What happened was the (ISP) was compromised and had not known it," McGovern said, adding that the site's administrator quickly noticed the intruder and shut systems down. "Basically we had to go through and rebuild the machine, and then we checked the log file of everyone who used the machine."
hrm I guess that could also be considered true, if by true you mean, finding out every box on your network is owned 5 months after the fact and only due to my own boredom that consisted of me ircing it infront of the admin, by the way good job of auditing your network, wait thats just too much sarcasm for one sentence..
After the attack, VA removed the shell service until workers could reinstall the software and data on the server.The shell server allowed SourceForge members to type commands into the system remotely. On Thursday, the company posted an alert that the shell server couldn't be used because of an "unscheduled maintenance event."
It also allowed me to sniff my way onto apache.org and sourceforge webserver and leave all sorts of goodies in the code..
In this case, they only got into a shell server," McGovern said.
Hey, theres no disputing that, I mean.. wait.. Whats this I'm defacing ?
The company also decided to shut down its "compile farm," a collection of computers running different operating systems on which SourceForge developers can test their software.
Why would they shut down other boxes, if only the shell server was hacked ?
Although illicit modifications to the programming projects are a concern, McGovern said the intruder didn't get that far.
oh come now, you're just being silly..
Its ok thought I dont blame you guys, I mean atleast you admited to being schooled, thats more then I can say for akamai, but thats a different story all together.. But never the less, I'd like to thank valinux.. apache.. akamai and ofcourse exodus without their poor security and refusal to make security breaches known to the public I wouldnt be sitting atop a mountain of roots and oodles of proprietary software.. This is the fluffy bunny signing of.. beep..
-fluffy@#blackpanthers on efnet(the scourge of efnet)
But if the cracker replaced the colors on /. with ones that DON'T hurt a human's eyes, who's to say that it would be a totally bad thing?
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Gods! The only thing worse than a troll who finds a thesaurus, is an argument with nothing to back it up.
Heh, Amazon/Yahoo/EBay get 0wned all the time.. It's just that their sysadmins are on top of it and usually have it completely fixed and patched up within 5 minutes. Regardless of how evil/stupid these companies are, the people who work at them are usually very good at what they do. Regardless, it's nigh impossible to have a hack-proof server. If you get enough people trying, it will happen because human error is often the weakest link. Hell, most of the passwords Kevin Mitnik got, he didn't hack, he called up on the telephone and weaseled them out of some tool working tech support. No matter how secure the OS is, humans will be the easiest place to hack.
--
© ilmari. All rights reserved, all wrongs reversed
shit man, you haven't been on the microsoft campus lately have you???
or do you not ever step outside M$'s marketing department?
Get an open source PalmOS tool like Keyring for PalmOS or String that can generate random passwords and store them safely encrypted. Then you can use strong passwords that are different on every machine, and change them regularly without needing to worry about forgetting them. (But don't forget to make backups of your keyring!)
You assume the tree is safe. In this case the tree is suspect.
No, the point of reading the diff is that it allows me to avoid assuming the tree is safe.
Let me explain it in smaller words: I have a checkout of the Apache source on my laptop, which I last updated a month or two ago. (This is not just an example, I really do.) If I get a new checkout of the tree, and run a recursive diff across the two directories, then I can see all the changes which were made to the head of the tree since I made my checkout. Most of these will be normal development changes that have happened in the intervening period, but if I see any suspicious binding of ports or launching of shells then we know something bad has happened.
Of course this is not just me. Many developers or spectators will have their own copies of the tree from various points in time. Covalent, IBM and distribution vendors will have their own internal mirrors of the tree. Since the intruders couldn't break all of these copies, any damage would likely be discovered.
The review process Brian explains in his mail is a systematic way of doing this. The chances that a change will slip through are pretty small.
That's classic Microsoft FUD. It has taken the US federal and state governments years and millions of dollars to take Microsoft to court, and they still don't have a decisive result. What chance does anyone else have of proving them "liable", even leaving aside the EULA's exclusion of liability?
Personally, I can run a diff of my Apache and other source checkouts against what's currently in the tree, and know for sure what's changed. I find that much more reassuring that you handwaving about "check digits".
If it had been microsoft I would have felt the same way. For the same reason we protect the KKKs freedom of speach I would also support a very harsh punishment for the person if they did it to MS.
I don't like MS personally but that is also not an excuse to attack them. I want opensource to win in the long term fair and square. These attacks are pathetic no matter who they are done against.
Computer modeling for biotech drug manufacturing is HARD!
I am curious. Is there validity to his claim that he had this thing solved 5 months ago.. and was there anyone who can verify this guy was the hacker? (Cracker for those who get pissy about definitions :) ) . If so.. and if he trojaned sshd.. well.. he very likely has a backdoor in to a lot of other places. Does ssh send the private key up for comparison, or does it pull the public key down? What are the implications of having SSHD backdoored and what kind of information can be obtained from this? If I have keys in a directory..and sshd is backdoored, could I potentially have security issues on all other sites I use ssh on?
DOes this affect debian, who uses ssh exclusively? Or anyone else that uses ssh exclusively?
What I'm asking is, is there a ripple effect from this? Should people be revoking their keys in masse?
Magnwa
When it was announced that Sourceforge had been hacked, I was the only one that ventured the idea that it wasn't a technical hack, but a social one (okay, that sounds like I've got a swollen head, but the point is, most people lept to the conclusion that it was a technical hole, rather than a social one).
Most likely, this will not be the only other OSDN and related sites that is defaced - if they got into Sourceforge and Themes.org on stolen passwords, they are probably collecting passwords, looking through history files, hammering through, searching for passwords to other sites. Since it's a fairly small pool of admins that all work together, it is likely that there are some overlap between admins. Plus the odd (and stupid) admin that uses the same passwords at multiple sites.
Social engineering, stealing a password or swiping a laptop does not beneficially expose security holes unless the password was negligently left out, or the social engineering targeted somebody who shouldn't have had the password anyway. I know a large ISP (one of the, oh, say, top two) where most of the sales force knows the NT Admin password for all machines on the network. That's negligence.
Having a laptop in session get swiped at Comdex means you better know what's on that laptop (and deal with it quickly), but at that point, can just be a race. And if you leave it at a restaurant, come back the next day to pick it up, unaware that the busboy is a 133t d00d, is that negligence (in a perfect world, yes. In reality, it's a bit more fuzzy).
And of course, the tendancy towards smart cards (which aren't) will only make this problem worse. A bit of biometrics might help: a thumbpad on the side of the card, maybe.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Well, if they replace it with a "look out for this bug" and are nice about cracking the site, give shouts out, etc., I have no problem...but this is just plain rude.
JoeLinux
====
Earlier this month, a public server of the Apache Software Foundation (ASF) was illegally accessed by unknown crackers. The intrusion into this server, which handles the public mail lists, web services, and the source code repositories of all ASF projects was quickly discovered, and the server immediately taken offline. Security specialists and administrators determined the extent of the intrusion, repaired the damage, and brought the server back into public service.
The public server that was affected by the incident serves as a source code repository as well as the main distribution server for binary release of ASF software. There is no evidence that any source or binary code was affected by the intrusion, and the integrity of all binary versions of ASF software has been explicitly verified. This includes the industry-leading Apache web server.
Specifically: on May 17th, an Apache developer with a sourceforge.net account logged into a shell account at SourceForge, and then logged from there into his account at apache.org. The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he replaced our ssh client and server with versions designed to log names and passwords. When they did this replacement, the nightly automated security audits caught the change, as well as a few other trojaned executables the cracker had left behind. Once we discovered the compromise, we shut down ssh entirely, and through the serial console performed an exhaustive audit of the system. Once a fresh copy of the operating system was installed, backdoors removed, and passwords zeroed out, ssh and commit access was re-enabled. After this, an exhaustive audit of all Apache source code and binary distributions was performed.
The ASF is working closely with other organizations as the investigation continues, specifically examining the link to other intrusion(s), such as that at SourceForge (http://sourceforge.net/) [ and php.net (http://www.php.net/). ]
Through an extra verification step available to the ASF, the integrity of all source code repositories is being individually verified by developers. This is possible because ASF source code is distributed under an open-source license, and the source code is publicly and freely available. Therefore, the ASF repositories are being compared against the thousands of copies that have been distributed around the globe. While it was quickly determined that the source code repositories on the ASF server were untouched by the intruders, this extra verification step provides additional assurance that no damage was done.
As of Tuesday, May 29, most of the repository has been checked, and as expected, no problems have been found. A list of verified modules will be maintained, and is available here: http://www.apache.org/info/hack-20010519.html
Because of the possible link of the ASF server intrusion to other computer security incidents, the investigation is ongoing. When complete, the ASF will offer a complete and public report.
The Apache Software Foundation strongly condemns this illegal intrusion, and is evaluating all options, including prosecution of the individual(s) responsible to the fullest extent of the law. Anyone with pertinent information relating to this or other related events should contact root@apache.org. Anyone from the media with further interest should contact press@apache.org.
Thanks.Brian Behlendorf
President, Apache Software Foundation
====
Boffoonery - downloadable Comedy Benefit for Bletchley Park
>> MS can "prove" their code internally when hacked (back ups/ownership/check digits) and is liable if they produce rooted code.
Really? have you read the licence ?
>> In a corporate world liability = responsiblity.
Please sue microsoft for a loss you had using their software.
I don't think you will get far. Neither MS software nor any OSS software comes with a 'you can sue me if' clause
Christopher McCrory "The guy that keeps the servers running" chrismcc@gmail.com http://www.pricegrabber.com
So, to conclude - there is no extra security risk from running X apps remotely. The programs are still running on the remote machine, they're just displaying on your local X server.
Unless the X client - server communication is encrypted (maybe tunnelled through ssh?) there is an additional security risk. All user input on the server machine has to be transmitted to the client and this most likely includes keypresses and mouse events in a sniffable format.
All input to an xterm X-client could be sniffed, including passwords to ssh accounts, su passwords etc. This would be bad.
+++++
+++++
The harder you look the less you see. That's what we're up against.
A better hack would to be crack slashdot, (possibly from Japan), then post a very subtle and believable story telling of other sites being compromised with "vulgar pictures"...
and then chuckle in a maniacal way as the slashdot effect works as a DOS attack on those sites...
I wonder how many people lose jobs because of this childish behaviour
it's sad, but perhaps these people shouldnt have these jobs.
use LaTeX? want an online reference manager that
-- john
You should of course also change passwords for any account you might have ssh'd to from one of the compromised servers...
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
it is interesting the different ways people interpret the Netcraft data, huh? Last I read Apache had 60% and MS about 22, but you know, surely that can't be right if you a re an MS fan!
Juln
And of course, the tendancy towards smart cards (which aren't) will only make this problem worse. A bit of biometrics might help: a thumbpad on the side of the card, maybe.
Exactly right, stealing a laptop is not a social attack.
How we know is more important than what we know.
why? Actually the best thing you can do is pull the network cable, dont turn off the machine and call your security provider. They will do a real analysis and then clean and secure your system. Reinstall is a good way to get back into the exact same insecure state again.
How we know is more important than what we know.
I dont think he is trying to show shit. He is simply saying that VA are talking through their ass when they say that only the shell server was owned and that us users shouldn't worry our pretty little heads.
How we know is more important than what we know.
sheesh, next thing you'll be asking a judge for a injunction to ban linking to your sniffed password.
How we know is more important than what we know.
The Coroner's Toolkit (TCT) Have fun :)
How we know is more important than what we know.
re-installing is *not* the solution. Checksum your binaries when you first install (and dont have the network plugged in when you do it ok?) and if/when you get owned, take the box offline, pull out the harddrive, put it into a machine with no harddrives, boot off your forensic analysis floppy and check it. Hopefully, the security team at VA Linux knows this.
How we know is more important than what we know.
Norton protects you against known viruses. Virus writers check their virus before releasing it (and yes, they still release it, no matter how much we tried to tell them that wasn't what it was all about) so they know the AV dont detect it. It is only after it has been discovered "in the wild" that the virus signatures are determined and the checker updated.
How we know is more important than what we know.
sigh.
How we know is more important than what we know.
First the DDOS attacks- and probably other sorts of similar high-profile hits before then. Then the discovery that M$'s internal network had been compromised; and now in the past week, Themes.org was cracked and Sourceforge was messed with. Slashdot was compromised a few months ago as well (and the staff was very open about what went down and how it had been possible), and I'm sure there are many others that are escaping my attention at the moment.
Is it just me, or are these sorts of things on the rise- not only the frequency, but the profile of the target? How long until a *really* high profile, high volume portal or site such as Amazon, Ebay, or Yahoo gets 0wn3d?
It's geurilla warfare- a war without soldiers, ammunition or human casualties. The attackers cannot be easily found, and even when they are, prosecuting them is difficult, if not impossible (extradition treaties, diplomatics, etceteras). From what I've seen, all of the major targets have been hosted on US soil- I wouldn't be surprised if many of the attackers were overseas. Firewalls don't seem up to the task, and neither do many sysadmins.
What sort of tools exist to prevent this sort of thing (aside from simply using OpenBSD)? Any Gibsonian Black Ice? The TCP/IP equivalents of radar and surface-to-air missiles? Are any of them open sourced, and what is the state of their development?
This is what I took from here. Which says it's a mirror.
I would like a copy of this list, do you know where I can find one? I'm a user (bugg@users.sourceforge.net) at SF and have SSH'd places from their shell before; but I don't know if that was before or after the comprimise.
-bugg
I for one will offer many-a-virtual beers to the one 1337 d00d doing that !
--
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
This is the problem that was faced with the airline hijackings a decade ago. Eventually, the major news organizations agreed to report only that a plane had been hijacked: they refused to disclose by whom or their demands. Of course, with a more distributed news apparatus in the internet, this sort of thing might be more difficult today (especially considering responses like comment #33). I suppose the only option available to us is increased airport security, so to speak.
~~~~~~
under-paid karma whore
But apache itself was never exploited. It was all done using ssh. The Secure Shell is to blame here. I wonder if it was the commercial SSH or OpenSSH?
-------------
HAL 7000, fewer features than the HAL 9000, but just as homicidal!
If a hacker got into sourceforge, it seems to me that it wouldn't be too difficult to write a utility for the purpose of introducing holes into source code. There are already utilities that can scan your source for common security problems (buffer overflows for instance), I'm thinking of a utility the opposite of this which scans code for common places where a buffer overflow could be useful to an attacker and then modifys the code to be insecure. Naturally an automated utility is going to have a high failure rate, but running it on something like sourceforge would still probably net a few things.
Sigs are awesome huh?
I used to think that 'crackers' did provide a valuable service by exposing vulnerbilities. But the truth of the matter is that most of them are irresponsible children crying out 'l00k @t m3 m0mmy I'm @n 31337 hax0r', with no thought as to the consequences of their actions.
Grow up, if want to be useful find a vulnerbility and then report it to the admins and the software maintainers. Don't make other peoples life hell... I wonder how many people lose jobs because of this childish behaviour.
--
'Welcome to Rivendell, Mr. Anderson...'
From reading the (finally posted) update on SF it seems that a staff member's user/password was sniffed through a compromised upstream connection.
= 89 285
Read about it here:
http://sourceforge.net/forum/forum.php?forum_id
It's not clear if the ISP was socially hacked or exploited by a technical means.
This seems to be creating a cascading effect as a direct result of having a centralized repository and network of popular open source site as well as most everyone using similar passwords across multiple accounts.
Fsck cluebie moderators. I'll say what I want, offtopic or not. And fsck having to qualify every bloody statement just
Sounds like he got into 1 ISP server somewhere (most likely through an old, well-known vulnerability that wasn't patched), trojaned the SSH client on there, and collected passwords. Someone from there SSH's to SourceForge and su's to root, and bingo, he's root on SourceForge's machines. Trojan SSH client on there, collect more passwords, etc...
Yeah, but in this case apache.org probably didn't have any security problems, other than letting admins SSH in from shell accounts on other systems that they didn't control, so they couldn't trust the SSH client on there. Just my guess based on what I can see so far, though...
Gumbo
Use a development machine to build your system, then burn it to bootable CD. Make sure the only RW directories are /tmp /var and /home
Alternatively, if you'd like a system that's slightly easier to update, choose hard drives that have read-only jumper settings. Keep all your executables on read-only disks. When you need to update, shutdown, change the hardware write protection, disconnect from the network and boot up.
attrition.org has decided to discontinue with updates to their defacement archive.
God, that really *is* a hacked version of my RuriLinux drawing...
http://www.fredart.com/fredart/artpage.php3?src=&f t=co&fn=11
Considering my attitude towards perverse usage of my characters and my drawings, this is really a defacement of my work as well. So there were two victims here. Granted, the violation of the themes.org servers could be considered a more serious invasion, but the defacement of my artwork is a personal violation that is hard to put value on.
I'm not going to complain too much, i guess. All that was retained of the original image is the tux suit. It could have been far worse if the image of Ruri was simply 'accessorized'. -_-;; I thank the cracker for at least not adding one more brutalized image to the long history of fan abuse of Hoshino Ruri. (Ruri has been featured in more pornographic doujinshi (fan comics) than i think can be counted. It would have been a blow to my personal vendetta against such abuse of characters like her if she had remained in the image.)
This, of course, is one of the problems with making your work freely available to the public over the net. Servers are only as good as the security the site implements. I have to rely on simply asking people not to deface my work. Surprisingly, most people respect my wishes. Stuff like this has been rare.
My thanks to those who pointed this out to me. I will not be mentioning this anywhere on my sites, because i don't want to legitimize the rather lame hacking exploits of this individual. The pursuit of public recognition can be achieved in two ways - either build things (like myself and the themes.org crew does) or destroy them. Of course, these people should realize that they are nothing without people like us...
Fred Gallagher / Piro www.megatokyo.com www.fredart.com
::: fred hides at fredart.com
apache.org and sourceforge.com those are the first places I go to get my proprietary software.
Themes.org's still locked up. and its 10:12:32pm PST right now here in San Diego. Anyone thought of the possible political motives behind this? We all know that several US sites, mostly government related, have been the target of various Chineese cracker attempts. Themes.org is primarily a US & Co. site, so could this be an attempt to destroy Western creativity in the United States in light of the recent fiasco with the recent American spy plane incedent? Only the Shadow knows... :-)
-----------------------------------------
-----------------------------------------
Perversely greped and groped by PowerPenguin
Just curious - if you had taken the time to look back and realize that your comment has been made a million times on Slashdot already, would you have still said it anyway?
People are a funny thing: they tend to defend the things that are important to them, whether that be their favorite hockey team, presidential candidate, or software philosophy. Nobody is 100% unbiased and objective. I'm sure if you were to stop and think about it, you'd realize you do the same thing with your likes and dislikes everyday. Complaining about this and/or trying to identify it in an attempt to be "insightful" is rather pointless.
--------
-------
"Every artist is a cannibal, every poet is a thief."
Counter Point 1: I'll have your links by 3:00pm Friday.
;)
Counter Point 2: Where did I say he was "karma whoring"? I said making a comment like that was being pseudo-insightful: people have said it many times before (see Couter Point 1) and it's not even very accurate. Karma need not be involved
--------
-------
"Every artist is a cannibal, every poet is a thief."
that was humor, moron...heh, first time I've been called a troll, though...kinda hoping my first time would be from someone a little higher profile than an AC. Oh well.
:P
Oh, and according to my watch, it's 11:37AM on Friday June 1 2001. Heh, sorry if you are stuck in one of those future time zone, but that ain't my fault...troll
--------
-------
"Every artist is a cannibal, every poet is a thief."
humour (note the correct spelling, you illiterate troll)
Ooooh, a British AC troll...you still need somework, though. Consider taking a few lessons from Zico or Lover's Arrival, The...they really know how to push the right buttons. There's nothing worse than a troll post that doesn't get you pissed off.
--------
-------
"Every artist is a cannibal, every poet is a thief."
Thanks for the list while it lasted though.
Actually, lots of sites are slow (including slashdot). I think there's some DoSing going on.
Black holes are where the Matrix raised SIGFPE
What better place to crack away than from outside the country, e.g. Tokyo?
;-)
"I haven't read the rants"... Nah, he wrote them with his eyes closed
It's... It's...
"We can confirm that Debian does *not* ship the version with the trojan horse. Our version predates it." [CA-2002-28]
Actaully http://defaced.alldas.de/ has already taken over this role. Mind you themes.org doesn't seem to be on there yet!? They do however provide all the info on operating systems and multiple attacks, etc.
Given the number of broken picture links in the Themes.org site, it must have been a bit of a risk to go replacing pictures with obscene ones anyway - they may not ever get displayed. Hopefully, while they are fixing the site for all possible damage caused by the crack this will get better as well.
"I Know You Are But What Am I?"
I must say this is somewhat understated. Dude, I'm not trying to flame you here, I am way more upset with by the stupidity of the Apache developer that gave up his password. So I am apologizing in advance, this is just the "right" place for my comment.
Guys with access to ASF machines should never under any circumstance feed their password into an untrusted system. With Apache running on 60%+ of the WWW it is way too fucking big of a risk. Since fluffy bunny claims s/he rooted machines at Exodus 5 months ago, the question now exists, um geez, are all my Apache boxes trojaned?.
The ASF is right to verify the integrity of their source by going back to the many many distributed copies of the source they have, however, I believe this might be an insufficient effort because the source could have been trojaned way in the past.
cat
Dude, I agree the FMII facelift totally blows and has caused fewer page views from my IP. I would like to gently point out that the themes.org break-in is not the real news here...The news is the hax0r who did it claims to have rooted admin machines at Exodus some 5 months ago. Exodus hosts a lot of big sites, this could be a really big deal if the claims are true.
cat
How do you know, if I may ask?
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
Thats the problem. The hacker trojaned the ssh binary on a *shell* server that the ISP was providing. So, some admin jumped onto the shell server and ssh'ed from that to the OSDN boxes.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
But on a positive note, at least it will keep the Linux zealots quiet for a week or two about how superior they think Open Source is.
When has it ever in the past? No, this will be spun into being "proof" as to how much better Open Source is when it comes to security than Closed Source software.
NO CARRIER
www.attrition.org should have the hacked page.
Sort of like if the United States of America is blown up by several strategically places nukes, we shouldn't publicize it because the terrorists would feel rewarded.
:-)
If the attacks are publicized and detailed somewhere, then us sysadmins will be able to better protect against them.
BTW--What you're describing is "Security through obscurity" which we all know doesn't work
------------
------------
Tonight on Fox: Deadliest Executions Part XVII
The site's "shell server" was compromised May 22 after a SourceForge employee logged on to an outside Internet service provider that had already been taken over by the intruder, said Pat McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge remotely, the intruder captured the password.
Well some of that is true, I mean I did trojan ssh but I did it about 5 months ago, so kudos to the admin you sir are awesome..
"What happened was the (ISP) was compromised and had not known it," McGovern said, adding that the site's administrator quickly noticed the intruder and shut systems down. "Basically we had to go through and rebuild the machine, and then we checked the log file of everyone who used the machine."
hrm I guess that could also be considered true, if by true you mean, finding out every box on your network is owned 5 months after the fact and only due to my own boredom that consisted of me ircing it infront of the admin, by the way good job of auditing your network, wait thats just too much sarcasm for one sentence..
After the attack, VA removed the shell service until workers could reinstall the software and data on the server. The shell server allowed SourceForge members to type commands into the system remotely. On Thursday, the company posted an alert that the shell server couldn't be used because of an "unscheduled maintenance event."
It also allowed me to sniff my way onto apache.org and sourceforge webserver and leave all sorts of goodies in the code..
In this case, they only got into a shell server," McGovern said.
Hey, theres no disputing that, I mean.. wait.. Whats this I'm defacing ?
The company also decided to shut down its "compile farm," a collection of computers running different operating systems on which SourceForge developers can test their software.
Why would they shut down other boxes, if only the shell server was hacked ?
Although illicit modifications to the programming projects are a concern, McGovern said the intruder didn't get that far.
oh come now, you're just being silly..
Its ok thought I dont blame you guys, I mean atleast you admited to being schooled, thats more then I can say for akamai, but thats a different story all together.. But never the less, I'd like to thank valinux.. apache.. akamai and ofcourse exodus without their poor security and refusal to make security breaches known to the public I wouldnt be sitting atop a mountain of roots and oodles of proprietary software.. This is the fluffy bunny signing of.. beep..
-fluffy@#blackpanthers on efnet (the scourge of efnet)
Greets to: dianora.. tsk.. squrl.. cumstud.. glitch.. snow.. dwalrus.. cotton butt.. JAIL MITNICK! / FREE THE SHDWKNGHT!!!!!
/etc/passwd file at the end of this. Thought it would be nicer that way.
Note: I removed the
------------
------------
Tonight on Fox: Deadliest Executions Part XVII
Slashdot it's not under attack, it's just... hmmm, well umm, Well, it's being slashdotted! ;)
BigWhale!
---------------
I never wanted to go anywhere. I'm happy here...
The Sig, the sig
...hack goatse.cx and put up a non-vulgar picture.
If it was a guy with ethics, he'd have informed the VA staff of such a breach which could happen. I'm sure there are a *lot* of people who do that. But he'd have done it if he wasn't an idiot.
The sad thing is, however hard sysadmins try to keep their network secure, it can still be vulnerable. If they're *informed* about the vulnerabilities instead, it'd do a world of good. Nobody wants yet another it-can-be-done. Cracking sites is a cowardly act. It's not l33t. If you want to be l33t, inform the concerned people of such vulnerabilities if they exist.
Another thing. All those with accounts on any OSDN sites (including Themes.org, Slashdot, etc.), please change your passwords anyway - not only on the OSDN sites, but also elsewhere if you use the same passwords.
Banu
Ok,
If the guy cracked one system and then snooped the users on that box to get passwords, didn't he only crack one box?
Is it really apache.org's etc... fault if a trojan ssh on another isp's box was able to capture a password? or did I totally misread everything?
http://www.windmeadow.com/
I used to hate seeing "everyone's vulnerable" and "its only a matter of time" messages, and typically passed them off as paranoia, this, though, is scary. Apache.org got broken into as well? Damn...
I'd like to know what's broken, I wonder who else is vulnerable.
Mooniacs for iOS and Android
Well, exactly are you going to send a thumbprint when you're logging on remotely ? As a binary stream... ? (then it too can of course be exploited in the same way as the password).
Bioinformatics may work fine when you're at the fysical location, but remotely.. hardly.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
Sort of between a rock and a hard place here. we need to inform the affected users, but we do not want to reward the hacker with the notoriety they crave.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
I can see it now... PR folks from Microsoft, and other closed-source businesses are going to jump all over this (or related matters): "Open source isn't secure! Apache got hacked! Linux got hacked"
Right. Because Microsoft servers never, ever get hacked, so this is a great marketing point. Next time you go for the easy Microsoft-bashing karma points, try harder, ok?
Stupid like a fox!
I've had enough of those criminals. Such acts should not go unpunished.
My point was essentionally, what offers a juicier target to most hackers? Little known "Hi my name is Joe" sites, or various commercial ops?
I think your basic point about IIS servers being popular targets is correct. However, how many of those "Hi my name is joe" sites are run by people who have their own servers? I would guess that most of them are hosted by bigger and potentially more interesting targets (e.g. GeoCities, AOL, etc.).
Just curious - would you be saying the same if some bunch of lamer hackers had defaced M$'s website?
You can bet your bottom dollar/pound/franc/yenm/rupee/pebble that had it been M$ hacked, this entire section would have been filled with people gloating about how it proves how much better open source is than closed source. However,when it happens to a site running open source OS and webserver et al, the reaction is strangely different...
(Note - not implying for one second that the actual OS was the problem, which we know it wasn't).
--
People should not be afraid of their governments - Governments should be afraid of their people.
An excellent attitude, one which I wish more people would adopt!
--
People should not be afraid of their governments - Governments should be afraid of their people.
If you were the big boss of a big software company threatened by Free Software, and you would think of some countermeasures, what exactly would you do? ;-)
Suppose you would like to prove Free Software as being insecure...
Suppose you would just like to spread some FUD...
What's the image that comes into your mind right now?...
I believe the term is "baby-mulching".
be nice, i'm only on a dialup
- When you do things right, no one will be sure you've done anything at all.
er uh, yeah.. http://xh3g.yi.org/etocrack.html
- When you do things right, no one will be sure you've done anything at all.
I find that every change in a familiar site rubs me the wrong way, for a week or so. I try to give it a couple of months before complaining. But themes.org has been getting less usable with each update, and a couple of years later I continue to miss OctoberX's original design.
It's a shame - I used to check it out at least once a week, I downloaded a lot and contributed quite a few. But it's been months since I last looked at the site.
As long as I'm bitching, the Freshmeat facelift has been a step back for me, too. I hope the VA folks don't decide Slashdot neds improving. Better hosting (especially during the EST late afternoon/early evening) will be fine, thanks.
Unsettling MOTD at my ISP.
But, http://defaced.alldas.de/ should have it soon.
The big remaining questions are how many sysadmins at sites "trusted" by a compromised box should be looking for rootkits and dusting off backup CDs... and how many man-hours will it take to audit the hosted code to regain confidence that there ISN'T a backdoor somewhere...
--Ken
I don't know about everyone else, but when I SSH into a server, the copy of SSH is running on my own system. How does cracking an ISP let this guy monitor SSH? You shouldn't be able to sniff it from the ISP (that being the whole point of using SSH instead of telnet) so do people log on from systems owned by their ISP?
He's got a valid point. The MS folks have jumped on less than this to make Linux look bad.
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
what the hell... peopl are mirroring deleting th passwords sugarkane.rgv.net/~diamondc/themesownage.html
"I keep looking in the want-ads under 'revolutionary' but there don't seem to be any listings.. "
Oh, yeah...
how about this: http://sourceforge.net/forum/forum.php?forum_id=89 285
samrolken
You are so good at pointing out things that everyone else so clearly knows you should replace CmdrTaco!
samrolken
That'd be 5 seconds then...
Ben^3 (pedant)
The Slashdot Paradox: "100% Overrated"
Microsoft has around 50% of the commercial web server space according to the Netcraft SSL survey. That's a fairly large chunk considering the next competitor is Apache with 30%.
That may be true when you're looking at the SSL survey, but overall Apache is far and away ahead of NT/IIS. Not everybody is running an e-commerce site off their web servers.
Much more fun to hit the high profile sites. Especially if there are some juicy credit card numbers to be had because of poor site design.
That might be true for a small number of crackers, but the overwhelming majority of sites that get cracked are victims of simple exploit-and-deface maneuvers.
Please reread the original post. In SSL sites Apache is NOT king at this point -- it is a distant second to IIS.
But that is irrelevant to this discussion. We are talking about number of overall exploits/cracks/defacement incidents as a percentage relative to overall marketshare. In that arena, MS definitely scores the highest. Period. There is no wiggling out of it by citing SSL surveys instead of overall. SSL-enabled sites are not the only ones that get exploited! Your statement regarding Microsoft's marketshare according to the Netcraft SSL survey is about as relevant here as me pointing out that the average human head weighs 8 pounds.
The point I made was that the higher percentage of SSL enabled IIS sites provided a much more attractive attack target.
Calling the point irrelevant has no bearing on the discussion. It may be irrelevant to you but that is only because you are either incapable or unwilling to understand the point.
I explained this to you once before but you didn't get it, so I will explain this to you yet again...in detail:
It may be true that SSL protected/e-commerce sites provide a more attractive target for some crackers (those who are financially motivated), but the vast majority of servers that are being cracked are not targeted for financial gain. They are simple exploit and deface tricks. They are script kiddies who want to show someone that they can exploit a well-publiscized security hole and see their name up in lights.
If the majority of security breaches were in fact finanically motivated or had some sort of financial component, then your excuse about MS having a hgiher marketshare among SSL enabled sites might be relevant. But since the overwhelming majority of security breaches are not financially motivated and are simple site defacements then obviously the "financial motivation" theory that you posit is not applicable to those cases.
Trying to insult me by implying that I'm stupid won't change that.
My point was essentionally, what offers a juicier target to most hackers? Little known "Hi my name is Joe" sites, or various commercial ops?
Blah blah blah...yeah, we know. But your argument that only "hit my name is Joe sites" are the ones running Apache is somewhat flawed. Lots of commercial sites run Apache. Beyond that, there are a large number of business-oriented web sites that are not e-commerce sites. They may simply be online brochures for companies or a places to find more news and information about a company (like McDonald's and Burger King, two sites that were relatively recently cracked and defaced).
It all depends on so many factors. I also suspect the script kiddies tend to be more familiar with Windows.
And now you contradict yourself by implying that script kiddies are going out to hack commercial sites. They're not. Script kiddies are out to see their name in lights. If it's by defacing Burger King's online brochure, so be it. If it's by defacing Amazon.com and disrupting that days transactions, so be it. The business (or non-business) purpose of the site is irrelevant.
Go research the kinds of sites that have been breached over the past year. Start at attrition.org or alldas.de and keep going. I think that you'll find that very few of them are actually big "commercial operations" (or e-commerce sites). Most of them will be companies or organizations that you're probably never even heard of.
I can see it now... PR folks from Microsoft, and other closed-source businesses are going to jump all over this (or related matters):
Please...the absolute last thing MS wants to do is to actually get people started comparing the number of cracked web servers between NT/IIS and anything else. Even their corporate PR droids know that NT/IIS is by far the most exploited/cracked web server combination in the world (and disproportionately so when you consider that they have such a small percentage of the web server marketshare).
I think it is getting rediculous that ppl are still using passowords as "security" for logging into machines. This is yet another example of how passwords simply do not work. Why? Because they are too easy to sniff, are reused across accounts, get found laying around in textfiles in plaintext, etc. Being that everyone uses shadow passwords nowadays (don't you?) the brute force attempts such as using crack are useless. Its much easier to get one laying around.
For example, recently at my ISP the radius.log for the terminal server was world readable and had over 100K of plaintext passwords for mishandled ppp connects. For example, I saw mine as pp:username:passwd because the 1st 'p' character got chopped during negotiations.
I would strongly recommend using strict ssh rules such as limiting where ppl can log in from and make them use keys to login instead of passwords.
I nolonger try to make a "good password" because there is no such thing. Think about it x!YS@^xlps is just as secure as 'secret' as a password in plaintext. Just for kicks I thought about walking into a companyy sometime and going around asking ppl for their passwords, and I bet that I would get at least 1 in 15 minutes with no problem. PKI, smartcards, etc are much better than passwords, lets use them.
Apparently, according to my contacts in the 31337 underground, the team responsible for these attacks are the notorious Gates, Jobs and Jean Paul Gasse (out of Be inc.)
(Jobs drew the picture of the fluffy bunny, BTW)
Code, Hardware, stuff like that.
... and it should worry you as well, if you use any of OSDN's services.
That's right, any of them. After all, they're keeping very quiet about it and just about everything of OSDN's is getting cracked lately.
Whoever this is, they must have root or access to sniff network traffic. It seems like whatever they don't already have access to, they can get it.
Should you be worried? Yes. Is it overreacting? No.
We rely on these people to keep our source (relatively) secure and disclose the problems that may be occuring...br>
Will I be using SourceForge to store my code? No. I'll use a local box behind a firewall with no services, except a secure FTP daemon, allowed.
If nothing else, at least keep a local backup, as many people don't seem to be doing this. They may have even installed a trojan into the box to insert code into the applications.
Or maybe even a trojaned build of 'make.'
You never know...
Do you like German cars?
(no, this is not offtopic moderators. notice the presence of discussion)
-----
-----
so i says to mable, i says
So what? A couple of $kr1pt k1dd13z with too much time on their hands managed to deface a couple of websites. Big deal.
I had hoped that, in the absence of the attrition.org mirror, the k1dd13z might put away their sploits and go back to playing with their GameBoys (or whatever it is that 14 year-olds do these days).
I'm dismayed to see a non-event like this being given space on Slashdot. "Stuff that matters", right? This doesn't make the cut.
My $.02 worth.
~~~~~~~~~~~~~~~
"Three generations of imbeciles are enough." -Oliver Wendell Holmes
Jeez, If you are smart enough to do something like that couldn't you find many better ways to apply yourself?
Does anyone have any news as to when the themes.org collection of sites might be rebuilt. I understand how hard it is to recover from a hack, trust me I've had to do it myself. So I'm not hoping for this to be soon, but I was just wondering if anyone had heard anything....
i had a sig, once..
hehe you are stupid. thats what they put up after it got cracked so people are not presented with the image the hacker/cracker put up.
--
could it possibally be that your ips may just be bogged down or that other people
may be accessing the same sites as you (gasp!!) the internet may not resolve around you the
answer to every thing is not that its being hacked or dos'ed or even cracked
This must be Thursday, I never could get the hang of Thursdays.
ok before you tell me i mispelled ISP as ips i realized i did it only after the fact
This must be Thursday, I never could get the hang of Thursdays.
Don't know about themes & apache, but sourceforge most certainly use SSL
Front page, top left, Login Via SSL
https://sourceforge.net/account/login.php
--
Two witches watched two watches.
Which witch watched which watch?
Netcraft says:
m od e_w=on&site=themes.org&submit=Examine
Linux Apache/1.3.14 (Unix) PHP/4.0.4pl1
http://uptime.netcraft.com/up/graph?mode_u=off&
--
Two witches watched two watches.
Which witch watched which watch?
VA Linux's security admins missed a break-in for *5 months*.
According to the hacker, they only discovered him because he "itched" them.
--
Two witches watched two watches.
Which witch watched which watch?
I don't know about the rest of you out there, but slashdot is loading at a snails place for me. It's usually insanely fast (and most of my other often frequented sites still are).
I was just curious if Slashdot may be under attack by this hacker as well, since s/he seems to attacking popular *nix sites.
Please reread the original post. In SSL sites Apache is NOT king at this point -- it is a distant second to IIS.
I bet it was Microsoft. They've got underground script kiddie commune somewhere, sipping black coffee and trying to be evil little H4X0R puppets, like the borg.
or not, whatever.
spacefem.com
Since when are the exploits of some socially maladjusted low-brow script kiddie "stuff that matters"? C'mon, for chrissakes - this is just another idiot teen wanker spending every waking hour on the net searching for code that *others* write just so he can prove what a 'big man' he is to the world. If he had a social life or was actually getting laid he wouldn't have time for this kind of trivial crap; but the mere fact that he *did* spend time busting into something as uninteresting as Sourceforge only proves just how pathetic the little twit really is.
These brats are a dime a dozen. They aren't news and they certain don't matter. Try remembering that the next time some sexually frustrated little boy hacks into a system that isn't even worth the effort in the first place..
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Everytime I read another one of these releases about yet another site being defaced by yet another cracker with a sniffer. Two things come to mind. The first one is where the heck was this kid's parents when being taught the diference between right and wrong. The other thing is why attack a community that for all intent and purposes is attempting to build something for the greater good of all mankind? The act of breaking and entering, which is what happened, is a terribly deplorable act. I do understand that the sysadmins at the site were crushed under the ball instead of being on the ball, but that does not give everyone the right to go cracking away. Personally, I would have had more respect for this low-life scum, if he/she/it had decided to simply patch up the holes and then announce it in some other fashion. At this point nobody should trust any of the software off of Sourceforge until the developers of said software are able to claim that it is indeed safe from backdoors. I know some of you are against strengthening the laws regarding cracking systems, but I am all for it. I would much rather see some script kiddie, or someone that knows what they are doing, go to prison for 10 to 15 years for breaking and entering into computer systems. Of course the sysadmins at the site that was originally hacked should carry most of the blame on this. I do also understand that it is terribly dificult to know what software is installed on every PC in every office. It still does not excuse the fact that a schmuck in an office somewhere can slap together a giant security hole machine. The originally affected machine should have been screened by the real sysadmins prior to going live. If we could get sysadmins to start pre-screening machines before they go live, it would be possible to grealy cutdown on the number of cracks. That should almost be a law, especially since there are so many hacks (Meaning Dumbass) that pretend to be sysadmins out there.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Might be coincidence, but I just strolled over to the Pegasus Mail/Mercury site to see if v4 is out yet, and saw this instead of their download page:
"site is unavailable because of a recent attempted security breach. We are currently relocating our server, but until the process is complete, we would ask our European users to bear with us and use the North American sites."
This mirrored anywhere?
...not that I'm a pirate.. Hell I've never even fired a cannon. - oldwolf13
None of the downloadable binaries or packaged distributions at apache.org were modified by the cracker.
It seems every major crack I've read about in recent times could have been prevented, or at least caught a lot sooner. I wouldn't believe a word some l33t script kiddie told me so I don't know how long the cracker actually was in before being noticed, perhaps it was 5 months, perhaps he got in last tuesday, if it was me and I had regular backups I could find out probably but it's not. At any rate it should have been caught sooner.
There's always going to be a new exploit for the best kickass program out next week but at least try and keep your eyes open for compromised systems, and don't think you're immune.. Sheesh..I really don't blame the skript kiddies, they are pesky and annoying but if you're not going to spend 2 seconds analyzing your own security at least someone else will take the time.
You are the contents of your wallet
{
}
More info can be found at:
http://groups.google.com/groups?q=themes.org,+hac
and
http://groups.google.com/groups?hl=en&lr=&safe=of
jamirocake
--Manuel
"I hate quotations, tell me what you think"
http://66.92.75.28/~vladimir/themes-org.html
a lot of info there...
31337= Alienated, anger teenager who compensates voids in his/her life by making him/herself believe that s/he is 'elite' ( a good way to fight an inferiority complex, and an obious lack of ablity to commit her/himself to meaningful relationships ). In other words: a boring pissed off teenager who craves attention because nobody listens to him/her.
--Manuel
"I hate quotations, tell me what you think"
A quick point. Not that everyone doesn't already know this, but it is my personal conviction to say something whenever I see 'Hacker' and 'Cracker being used interchangeably. Hacker: Very talented and very dedicated problem solver that works very hard to fix problems and then publishes the results for free to benefit the computing society. Hackers fix stuff. Cracker: Not blindingly talented, probably doesn't really know 'a whole lot' about programming. Wastes valuable hours that could be used doing something usefull carrying out acts of internet violence. Crackers break stuff. With that off my chest I would strongly suggest paying a visit to http://www.insecure.org/sploits_linux.html, or http://www.insecure.org/index.html for those not using *nix. This is a very scary sight that lists a *huge* number of exploits on *nix based systems as well as other OS's. By the way, I would say that roughly 90% of the attacks are designed to gain ROOT. I printed off the list (very long) and am reviewing all of my binaries against these exploits and reviewing permissions. Cheers!