Slashdot Mirror
Themes.org Cracked
sammoth writes: "themes.org was hacked [CT:Cracked] and
replaced with a rather vulgar logo. The intruder makes some bold statements about the security, or lack there of, on several sites. " Of course I'm still in Tokyo right now, so your guess about what's happening is just as good as mine. And 5000ms ping times to the U.S. East Coast sure makes posting this story tricky ;) Apparently the cracker managed to get into SourceForge and Apache.org too ... and he posted user accounts and passwords on t.o along with a rant that I haven't seen. Update: 05/31 02:40 PM by T : Here's an informative explanation on apache.org of the break-in on that site.
It looks like they were running 1.3.12 on Linux. I believe that is an old edition.
link
Rule #1: Unplug the ethernet cable, not the power. It's hard to do a post-mortem if your filesystem is crashed.
:)
Rule #2: don't give any indication that you're aware the box has been rooted before you engage rule #1.
Rule #3: Don't trust anything that might have gone through that box for a reasonable period of time. Re-password, check other machines, reinstall software, etc. Good luck.
Rule #4: Run OpenBSD and don't get rooted.
Whenever a site gets cracked, post an article on slashdot about it (even if you're half globe away with 5000 ms ping delay) so they get slashdotted too.
What do you think the chances are that what dudle is doing with Debian will work automatically with the default install of OpenBSD? IIRC the default install runs the following list of services: inetd. I think most people probably want more services running on their server than that. Also the problem with sourceforge (and probably t.o too, I haven't looked) was bad password/shared password with another system/password transmitted cleartext, which BSD certainly won't fix.
The original author was not stating that BSD wasn't more secure out of the box than Debian; he was saying that their security was similar enough that having a competent admin on a Debian server is more secure than an incompetent admin on a BSD server running the same services. OpenBSD well be the most secure Unix on the face of the earth, but no system is so secure that it solves ignorance.
I don't know what is the best answer to this.
I kind of wondered if this wasn't in part why attrition.org finally shut down. While they were helping to publicize problems, they also sort of encouraged the problems by giving them publicity.
I doubt Microsoft even cares...
But on a positive note, at least it will keep the Linux zealots quiet for a week or two about how superior they think Open Source is.
Well of course you choose the statistics to fit the argument.
My point was essentionally, what offers a juicier target to most hackers? Little known "Hi my name is Joe" sites, or various commercial ops?
As such in the grand scheme of things, there are far more IIS websites running commercial ops than there are Apache, so it makes since they would be a more likely target.
It all depends on so many factors. I also suspect the script kiddies tend to be more familiar with Windows.
Yes it is interesting...
Notice how I said SSL survey?
You missed that part, didn't you?
You don't think Microsoft performs offsite backups?
The point I made was that the higher percentage of SSL enabled IIS sites provided a much more attractive attack target.
Calling the point irrelevant has no bearing on the discussion. It may be irrelevant to you but that is only because you are either incapable or unwilling to understand the point.
Yes a large number of sites have been defaced in the past couple of months do the the worms on Linux and Solaris.
/. geek seems to be incapable of understanding such issues.
Honestly I think this discussion is rather pointless in this forum. We're not talking about the quality of software, but rather sociological issues. The typical
As I pointed out numerous posts ago, financial motivation is only one small part of it.
The primary goal to defacements is to have it noticed. Clearly "Hi my name is Bob" website which is likely unvisited and unmaintained is not going to get much notice.
Defacing a commercial website which obtains many hits does get noticed. The vast majority of these use SSL.
In the past several months there have been a number of worms in the Linux and Solaris worlds which have gone through and defaced probably thousands of websites. Now in these cases, the worm is non-discrimanatory and attacks whatever it finds is open. In this situation, your understanding is correct.
As far as implying your stupid, I have no need to do that. You keep responding.
Well I'm not sure what you mean by small percentage.
Microsoft has around 50% of the commercial web server space according to the Netcraft SSL survey. That's a fairly large chunk considering the next competitor is Apache with 30%.
Apache is certainly used for a lot of hosted web sites... you know the routine "Hi my name is Joe and this is my website!"
Now one could probably argue that it's easier to knock off the small websites. After all they probably aren't maintained frequently.
But on the other hand, they also aren't accessed frequently so who would notice?
Much more fun to hit the high profile sites. Especially if there are some juicy credit card numbers to be had because of poor site design.
Bill Gates arrested? Never...
The difference is that on the Internet people seem to be much more willing to do bad things. Therefore, you have to be totally up on security. Let's look at it from this perspective:
In other areas of life, security isn't that big of a deal. It's easy to break into cars, it's easy to break into stores. I can deface just about any building in town if I wanted to. However, fewer people consider this allowable behavior, so you don't need the same kind of security to prevent this.
In the same way, you could probably murder entire buildings worth of people simply by putting dangerous chemicals in their air-conditioning system, because most air-conditioning systems aren't well-guarded at all. However, most people have more of a respect for life than that. On the internet, there isn't much respect for anything. So, you can either accept that you're going to get hacked, or spend all day keeping up with updates.
Engineering and the Ultimate
This might be it.
Attrition is dead. Maybe /. could become the new home for orphaned defacements.
If tits were wings it'd be flying around.
We try to keep While(1).org fairly secure. Here is a general overview of our security process. It should be helpful for many novice UNIX admins.
Good lord, why not? Themes.org and Sourceforge aren't exactly conveying information of vital importance to anyone. Their cracking isn't going to affect the markets, political battles, holy wars, sickness, or starvation anywhere in the world.
Why not reward the hacker by posting their conquest on Slashdot? Especially since they've proved their talent in such a benign way. And, of course, they've done the community a service by exposing vunerable security holes... which will hopefully be patched before some site of actual significance is hacked, sending the world into economic depression.
(I sure wish someone had cracked the Florida electoral system beforehand...)
I have to agree with you there. My background is in biometric authentication (of the non-weak variety).
Cryptograph authentication does indeed improove security vastly. As long as the password / private key is SAFE then you will have no problems. The use of smart cards that include their own host processor is the way to go.
Eliminating passwords would save the world a whole lot of grief, IMHO.
Pan
I said no... but I missed and it came out yes.
Amazon being 0wned?
Thats news to me, and I am in a group that would know.
--
Linux O Muerte!
Do you believe him? Somebody cracked it, but why believe that it was this guy?
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Consider this to be an official offer of bounty. Hack goatse.cx, post fluffy bunnies and a public key. I, for one, will contribute to whoever pulls it off. GO FOR IT!
-- Michael Chermside
PS: This offer is not actually intended to violate any laws.
Breakins like this are why the immutable bit was introduced in 4.4BSD. If you set your important executables immutable (ls, ps, ssh, etc) then even if someone does root your box, they can't change those without taking the machine down to single-user mode and changing it there, which in most cases can't be done without physical console access. This trick works for logfiles too; an immutable logfile can be appended to but not deleted or rewritten.
---
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
The site's "shell server" was compromised May 22 after a SourceForge employee logged on to an outside Internet service provider that had already been taken over by the intruder, said Pat McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge remotely, the intruder captured the password.
Well some of that is true, I mean I did trojan ssh but I did it about 5 months a go, so kudos to the admin you sir are awesome..
"What happened was the (ISP) was compromised and had not known it," McGovern said, adding that the site's administrator quickly noticed the intruder and shut systems down. "Basically we had to go through and rebuild the machine, and then we checked the log file of everyone who used the machine."
hrm I guess that could also be considered true, if by true you mean, finding out every box on your network is owned 5 months after the fact and only due to my own boredom that consisted of me ircing it infront of the admin, by the way good job of auditing your network, wait thats just too much sarcasm for one sentence..
After the attack, VA removed the shell service until workers could reinstall the software and data on the server.The shell server allowed SourceForge members to type commands into the system remotely. On Thursday, the company posted an alert that the shell server couldn't be used because of an "unscheduled maintenance event."
It also allowed me to sniff my way onto apache.org and sourceforge webserver and leave all sorts of goodies in the code..
In this case, they only got into a shell server," McGovern said.
Hey, theres no disputing that, I mean.. wait.. Whats this I'm defacing ?
The company also decided to shut down its "compile farm," a collection of computers running different operating systems on which SourceForge developers can test their software.
Why would they shut down other boxes, if only the shell server was hacked ?
Although illicit modifications to the programming projects are a concern, McGovern said the intruder didn't get that far.
oh come now, you're just being silly..
Its ok thought I dont blame you guys, I mean atleast you admited to being schooled, thats more then I can say for akamai, but thats a different story all together.. But never the less, I'd like to thank valinux.. apache.. akamai and ofcourse exodus without their poor security and refusal to make security breaches known to the public I wouldnt be sitting atop a mountain of roots and oodles of proprietary software.. This is the fluffy bunny signing of.. beep..
-fluffy@#blackpanthers on efnet(the scourge of efnet)
But if the cracker replaced the colors on /. with ones that DON'T hurt a human's eyes, who's to say that it would be a totally bad thing?
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Gods! The only thing worse than a troll who finds a thesaurus, is an argument with nothing to back it up.
shit man, you haven't been on the microsoft campus lately have you???
or do you not ever step outside M$'s marketing department?
That's classic Microsoft FUD. It has taken the US federal and state governments years and millions of dollars to take Microsoft to court, and they still don't have a decisive result. What chance does anyone else have of proving them "liable", even leaving aside the EULA's exclusion of liability?
Personally, I can run a diff of my Apache and other source checkouts against what's currently in the tree, and know for sure what's changed. I find that much more reassuring that you handwaving about "check digits".
When it was announced that Sourceforge had been hacked, I was the only one that ventured the idea that it wasn't a technical hack, but a social one (okay, that sounds like I've got a swollen head, but the point is, most people lept to the conclusion that it was a technical hole, rather than a social one).
Most likely, this will not be the only other OSDN and related sites that is defaced - if they got into Sourceforge and Themes.org on stolen passwords, they are probably collecting passwords, looking through history files, hammering through, searching for passwords to other sites. Since it's a fairly small pool of admins that all work together, it is likely that there are some overlap between admins. Plus the odd (and stupid) admin that uses the same passwords at multiple sites.
Social engineering, stealing a password or swiping a laptop does not beneficially expose security holes unless the password was negligently left out, or the social engineering targeted somebody who shouldn't have had the password anyway. I know a large ISP (one of the, oh, say, top two) where most of the sales force knows the NT Admin password for all machines on the network. That's negligence.
Having a laptop in session get swiped at Comdex means you better know what's on that laptop (and deal with it quickly), but at that point, can just be a race. And if you leave it at a restaurant, come back the next day to pick it up, unaware that the busboy is a 133t d00d, is that negligence (in a perfect world, yes. In reality, it's a bit more fuzzy).
And of course, the tendancy towards smart cards (which aren't) will only make this problem worse. A bit of biometrics might help: a thumbpad on the side of the card, maybe.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
====
Earlier this month, a public server of the Apache Software Foundation (ASF) was illegally accessed by unknown crackers. The intrusion into this server, which handles the public mail lists, web services, and the source code repositories of all ASF projects was quickly discovered, and the server immediately taken offline. Security specialists and administrators determined the extent of the intrusion, repaired the damage, and brought the server back into public service.
The public server that was affected by the incident serves as a source code repository as well as the main distribution server for binary release of ASF software. There is no evidence that any source or binary code was affected by the intrusion, and the integrity of all binary versions of ASF software has been explicitly verified. This includes the industry-leading Apache web server.
Specifically: on May 17th, an Apache developer with a sourceforge.net account logged into a shell account at SourceForge, and then logged from there into his account at apache.org. The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he replaced our ssh client and server with versions designed to log names and passwords. When they did this replacement, the nightly automated security audits caught the change, as well as a few other trojaned executables the cracker had left behind. Once we discovered the compromise, we shut down ssh entirely, and through the serial console performed an exhaustive audit of the system. Once a fresh copy of the operating system was installed, backdoors removed, and passwords zeroed out, ssh and commit access was re-enabled. After this, an exhaustive audit of all Apache source code and binary distributions was performed.
The ASF is working closely with other organizations as the investigation continues, specifically examining the link to other intrusion(s), such as that at SourceForge (http://sourceforge.net/) [ and php.net (http://www.php.net/). ]
Through an extra verification step available to the ASF, the integrity of all source code repositories is being individually verified by developers. This is possible because ASF source code is distributed under an open-source license, and the source code is publicly and freely available. Therefore, the ASF repositories are being compared against the thousands of copies that have been distributed around the globe. While it was quickly determined that the source code repositories on the ASF server were untouched by the intruders, this extra verification step provides additional assurance that no damage was done.
As of Tuesday, May 29, most of the repository has been checked, and as expected, no problems have been found. A list of verified modules will be maintained, and is available here: http://www.apache.org/info/hack-20010519.html
Because of the possible link of the ASF server intrusion to other computer security incidents, the investigation is ongoing. When complete, the ASF will offer a complete and public report.
The Apache Software Foundation strongly condemns this illegal intrusion, and is evaluating all options, including prosecution of the individual(s) responsible to the fullest extent of the law. Anyone with pertinent information relating to this or other related events should contact root@apache.org. Anyone from the media with further interest should contact press@apache.org.
Thanks.Brian Behlendorf
President, Apache Software Foundation
====
Boffoonery - downloadable Comedy Benefit for Bletchley Park
A better hack would to be crack slashdot, (possibly from Japan), then post a very subtle and believable story telling of other sites being compromised with "vulgar pictures"...
and then chuckle in a maniacal way as the slashdot effect works as a DOS attack on those sites...
You should of course also change passwords for any account you might have ssh'd to from one of the compromised servers...
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
re-installing is *not* the solution. Checksum your binaries when you first install (and dont have the network plugged in when you do it ok?) and if/when you get owned, take the box offline, pull out the harddrive, put it into a machine with no harddrives, boot off your forensic analysis floppy and check it. Hopefully, the security team at VA Linux knows this.
How we know is more important than what we know.
Norton protects you against known viruses. Virus writers check their virus before releasing it (and yes, they still release it, no matter how much we tried to tell them that wasn't what it was all about) so they know the AV dont detect it. It is only after it has been discovered "in the wild" that the virus signatures are determined and the checker updated.
How we know is more important than what we know.
sigh.
How we know is more important than what we know.
First the DDOS attacks- and probably other sorts of similar high-profile hits before then. Then the discovery that M$'s internal network had been compromised; and now in the past week, Themes.org was cracked and Sourceforge was messed with. Slashdot was compromised a few months ago as well (and the staff was very open about what went down and how it had been possible), and I'm sure there are many others that are escaping my attention at the moment.
Is it just me, or are these sorts of things on the rise- not only the frequency, but the profile of the target? How long until a *really* high profile, high volume portal or site such as Amazon, Ebay, or Yahoo gets 0wn3d?
It's geurilla warfare- a war without soldiers, ammunition or human casualties. The attackers cannot be easily found, and even when they are, prosecuting them is difficult, if not impossible (extradition treaties, diplomatics, etceteras). From what I've seen, all of the major targets have been hosted on US soil- I wouldn't be surprised if many of the attackers were overseas. Firewalls don't seem up to the task, and neither do many sysadmins.
What sort of tools exist to prevent this sort of thing (aside from simply using OpenBSD)? Any Gibsonian Black Ice? The TCP/IP equivalents of radar and surface-to-air missiles? Are any of them open sourced, and what is the state of their development?
This is what I took from here. Which says it's a mirror.
I would like a copy of this list, do you know where I can find one? I'm a user (bugg@users.sourceforge.net) at SF and have SSH'd places from their shell before; but I don't know if that was before or after the comprimise.
-bugg
I for one will offer many-a-virtual beers to the one 1337 d00d doing that !
--
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
This is the problem that was faced with the airline hijackings a decade ago. Eventually, the major news organizations agreed to report only that a plane had been hijacked: they refused to disclose by whom or their demands. Of course, with a more distributed news apparatus in the internet, this sort of thing might be more difficult today (especially considering responses like comment #33). I suppose the only option available to us is increased airport security, so to speak.
~~~~~~
under-paid karma whore
But apache itself was never exploited. It was all done using ssh. The Secure Shell is to blame here. I wonder if it was the commercial SSH or OpenSSH?
-------------
HAL 7000, fewer features than the HAL 9000, but just as homicidal!
apache.org and sourceforge.com those are the first places I go to get my proprietary software.
Actaully http://defaced.alldas.de/ has already taken over this role. Mind you themes.org doesn't seem to be on there yet!? They do however provide all the info on operating systems and multiple attacks, etc.
I must say this is somewhat understated. Dude, I'm not trying to flame you here, I am way more upset with by the stupidity of the Apache developer that gave up his password. So I am apologizing in advance, this is just the "right" place for my comment.
Guys with access to ASF machines should never under any circumstance feed their password into an untrusted system. With Apache running on 60%+ of the WWW it is way too fucking big of a risk. Since fluffy bunny claims s/he rooted machines at Exodus 5 months ago, the question now exists, um geez, are all my Apache boxes trojaned?.
The ASF is right to verify the integrity of their source by going back to the many many distributed copies of the source they have, however, I believe this might be an insufficient effort because the source could have been trojaned way in the past.
cat
Dude, I agree the FMII facelift totally blows and has caused fewer page views from my IP. I would like to gently point out that the themes.org break-in is not the real news here...The news is the hax0r who did it claims to have rooted admin machines at Exodus some 5 months ago. Exodus hosts a lot of big sites, this could be a really big deal if the claims are true.
cat
Thats the problem. The hacker trojaned the ssh binary on a *shell* server that the ISP was providing. So, some admin jumped onto the shell server and ssh'ed from that to the OSDN boxes.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
But on a positive note, at least it will keep the Linux zealots quiet for a week or two about how superior they think Open Source is.
When has it ever in the past? No, this will be spun into being "proof" as to how much better Open Source is when it comes to security than Closed Source software.
NO CARRIER
The site's "shell server" was compromised May 22 after a SourceForge employee logged on to an outside Internet service provider that had already been taken over by the intruder, said Pat McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge remotely, the intruder captured the password.
Well some of that is true, I mean I did trojan ssh but I did it about 5 months ago, so kudos to the admin you sir are awesome..
"What happened was the (ISP) was compromised and had not known it," McGovern said, adding that the site's administrator quickly noticed the intruder and shut systems down. "Basically we had to go through and rebuild the machine, and then we checked the log file of everyone who used the machine."
hrm I guess that could also be considered true, if by true you mean, finding out every box on your network is owned 5 months after the fact and only due to my own boredom that consisted of me ircing it infront of the admin, by the way good job of auditing your network, wait thats just too much sarcasm for one sentence..
After the attack, VA removed the shell service until workers could reinstall the software and data on the server. The shell server allowed SourceForge members to type commands into the system remotely. On Thursday, the company posted an alert that the shell server couldn't be used because of an "unscheduled maintenance event."
It also allowed me to sniff my way onto apache.org and sourceforge webserver and leave all sorts of goodies in the code..
In this case, they only got into a shell server," McGovern said.
Hey, theres no disputing that, I mean.. wait.. Whats this I'm defacing ?
The company also decided to shut down its "compile farm," a collection of computers running different operating systems on which SourceForge developers can test their software.
Why would they shut down other boxes, if only the shell server was hacked ?
Although illicit modifications to the programming projects are a concern, McGovern said the intruder didn't get that far.
oh come now, you're just being silly..
Its ok thought I dont blame you guys, I mean atleast you admited to being schooled, thats more then I can say for akamai, but thats a different story all together.. But never the less, I'd like to thank valinux.. apache.. akamai and ofcourse exodus without their poor security and refusal to make security breaches known to the public I wouldnt be sitting atop a mountain of roots and oodles of proprietary software.. This is the fluffy bunny signing of.. beep..
-fluffy@#blackpanthers on efnet (the scourge of efnet)
Greets to: dianora.. tsk.. squrl.. cumstud.. glitch.. snow.. dwalrus.. cotton butt.. JAIL MITNICK! / FREE THE SHDWKNGHT!!!!!
/etc/passwd file at the end of this. Thought it would be nicer that way.
Note: I removed the
------------
------------
Tonight on Fox: Deadliest Executions Part XVII
...hack goatse.cx and put up a non-vulgar picture.
I used to hate seeing "everyone's vulnerable" and "its only a matter of time" messages, and typically passed them off as paranoia, this, though, is scary. Apache.org got broken into as well? Damn...
I'd like to know what's broken, I wonder who else is vulnerable.
Mooniacs for iOS and Android
Well, exactly are you going to send a thumbprint when you're logging on remotely ? As a binary stream... ? (then it too can of course be exploited in the same way as the password).
Bioinformatics may work fine when you're at the fysical location, but remotely.. hardly.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
Sort of between a rock and a hard place here. we need to inform the affected users, but we do not want to reward the hacker with the notoriety they crave.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
well some system admins are damn busy with meetings, assisting users, setting up phone lines, buying hardware and software, administrative tasks, etc.
So instead of saying that they're incompetent, consider the fact that they may be busy doing other unrelated tasks.
Actually, everything you are doing on a remote compromized machine can be monitored by the attacher.
I find that every change in a familiar site rubs me the wrong way, for a week or so. I try to give it a couple of months before complaining. But themes.org has been getting less usable with each update, and a couple of years later I continue to miss OctoberX's original design.
It's a shame - I used to check it out at least once a week, I downloaded a lot and contributed quite a few. But it's been months since I last looked at the site.
As long as I'm bitching, the Freshmeat facelift has been a step back for me, too. I hope the VA folks don't decide Slashdot neds improving. Better hosting (especially during the EST late afternoon/early evening) will be fine, thanks.
Unsettling MOTD at my ISP.
But, http://defaced.alldas.de/ should have it soon.
The big remaining questions are how many sysadmins at sites "trusted" by a compromised box should be looking for rootkits and dusting off backup CDs... and how many man-hours will it take to audit the hosted code to regain confidence that there ISN'T a backdoor somewhere...
--Ken
what the hell... peopl are mirroring deleting th passwords sugarkane.rgv.net/~diamondc/themesownage.html
"I keep looking in the want-ads under 'revolutionary' but there don't seem to be any listings.. "
Oh, yeah...
Microsoft has around 50% of the commercial web server space according to the Netcraft SSL survey. That's a fairly large chunk considering the next competitor is Apache with 30%.
That may be true when you're looking at the SSL survey, but overall Apache is far and away ahead of NT/IIS. Not everybody is running an e-commerce site off their web servers.
Much more fun to hit the high profile sites. Especially if there are some juicy credit card numbers to be had because of poor site design.
That might be true for a small number of crackers, but the overwhelming majority of sites that get cracked are victims of simple exploit-and-deface maneuvers.
Please reread the original post. In SSL sites Apache is NOT king at this point -- it is a distant second to IIS.
But that is irrelevant to this discussion. We are talking about number of overall exploits/cracks/defacement incidents as a percentage relative to overall marketshare. In that arena, MS definitely scores the highest. Period. There is no wiggling out of it by citing SSL surveys instead of overall. SSL-enabled sites are not the only ones that get exploited! Your statement regarding Microsoft's marketshare according to the Netcraft SSL survey is about as relevant here as me pointing out that the average human head weighs 8 pounds.
The point I made was that the higher percentage of SSL enabled IIS sites provided a much more attractive attack target.
Calling the point irrelevant has no bearing on the discussion. It may be irrelevant to you but that is only because you are either incapable or unwilling to understand the point.
I explained this to you once before but you didn't get it, so I will explain this to you yet again...in detail:
It may be true that SSL protected/e-commerce sites provide a more attractive target for some crackers (those who are financially motivated), but the vast majority of servers that are being cracked are not targeted for financial gain. They are simple exploit and deface tricks. They are script kiddies who want to show someone that they can exploit a well-publiscized security hole and see their name up in lights.
If the majority of security breaches were in fact finanically motivated or had some sort of financial component, then your excuse about MS having a hgiher marketshare among SSL enabled sites might be relevant. But since the overwhelming majority of security breaches are not financially motivated and are simple site defacements then obviously the "financial motivation" theory that you posit is not applicable to those cases.
Trying to insult me by implying that I'm stupid won't change that.
My point was essentionally, what offers a juicier target to most hackers? Little known "Hi my name is Joe" sites, or various commercial ops?
Blah blah blah...yeah, we know. But your argument that only "hit my name is Joe sites" are the ones running Apache is somewhat flawed. Lots of commercial sites run Apache. Beyond that, there are a large number of business-oriented web sites that are not e-commerce sites. They may simply be online brochures for companies or a places to find more news and information about a company (like McDonald's and Burger King, two sites that were relatively recently cracked and defaced).
It all depends on so many factors. I also suspect the script kiddies tend to be more familiar with Windows.
And now you contradict yourself by implying that script kiddies are going out to hack commercial sites. They're not. Script kiddies are out to see their name in lights. If it's by defacing Burger King's online brochure, so be it. If it's by defacing Amazon.com and disrupting that days transactions, so be it. The business (or non-business) purpose of the site is irrelevant.
Go research the kinds of sites that have been breached over the past year. Start at attrition.org or alldas.de and keep going. I think that you'll find that very few of them are actually big "commercial operations" (or e-commerce sites). Most of them will be companies or organizations that you're probably never even heard of.
I can see it now... PR folks from Microsoft, and other closed-source businesses are going to jump all over this (or related matters):
Please...the absolute last thing MS wants to do is to actually get people started comparing the number of cracked web servers between NT/IIS and anything else. Even their corporate PR droids know that NT/IIS is by far the most exploited/cracked web server combination in the world (and disproportionately so when you consider that they have such a small percentage of the web server marketshare).
... and it should worry you as well, if you use any of OSDN's services.
That's right, any of them. After all, they're keeping very quiet about it and just about everything of OSDN's is getting cracked lately.
Whoever this is, they must have root or access to sniff network traffic. It seems like whatever they don't already have access to, they can get it.
Should you be worried? Yes. Is it overreacting? No.
We rely on these people to keep our source (relatively) secure and disclose the problems that may be occuring...br>
Will I be using SourceForge to store my code? No. I'll use a local box behind a firewall with no services, except a secure FTP daemon, allowed.
If nothing else, at least keep a local backup, as many people don't seem to be doing this. They may have even installed a trojan into the box to insert code into the applications.
Or maybe even a trojaned build of 'make.'
You never know...
Do you like German cars?
Everytime I read another one of these releases about yet another site being defaced by yet another cracker with a sniffer. Two things come to mind. The first one is where the heck was this kid's parents when being taught the diference between right and wrong. The other thing is why attack a community that for all intent and purposes is attempting to build something for the greater good of all mankind? The act of breaking and entering, which is what happened, is a terribly deplorable act. I do understand that the sysadmins at the site were crushed under the ball instead of being on the ball, but that does not give everyone the right to go cracking away. Personally, I would have had more respect for this low-life scum, if he/she/it had decided to simply patch up the holes and then announce it in some other fashion. At this point nobody should trust any of the software off of Sourceforge until the developers of said software are able to claim that it is indeed safe from backdoors. I know some of you are against strengthening the laws regarding cracking systems, but I am all for it. I would much rather see some script kiddie, or someone that knows what they are doing, go to prison for 10 to 15 years for breaking and entering into computer systems. Of course the sysadmins at the site that was originally hacked should carry most of the blame on this. I do also understand that it is terribly dificult to know what software is installed on every PC in every office. It still does not excuse the fact that a schmuck in an office somewhere can slap together a giant security hole machine. The originally affected machine should have been screened by the real sysadmins prior to going live. If we could get sysadmins to start pre-screening machines before they go live, it would be possible to grealy cutdown on the number of cracks. That should almost be a law, especially since there are so many hacks (Meaning Dumbass) that pretend to be sysadmins out there.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
http://66.92.75.28/~vladimir/themes-org.html
a lot of info there...
31337= Alienated, anger teenager who compensates voids in his/her life by making him/herself believe that s/he is 'elite' ( a good way to fight an inferiority complex, and an obious lack of ablity to commit her/himself to meaningful relationships ). In other words: a boring pissed off teenager who craves attention because nobody listens to him/her.
--Manuel
"I hate quotations, tell me what you think"