Slashdot Mirror

← Back to Stories (view on slashdot.org)

Themes.org Cracked

Posted by CmdrTaco on from the well-isn't-that-special dept.

sammoth writes: "themes.org was hacked [CT:Cracked] and replaced with a rather vulgar logo. The intruder makes some bold statements about the security, or lack there of, on several sites. " Of course I'm still in Tokyo right now, so your guess about what's happening is just as good as mine. And 5000ms ping times to the U.S. East Coast sure makes posting this story tricky ;) Apparently the cracker managed to get into SourceForge and Apache.org too ... and he posted user accounts and passwords on t.o along with a rant that I haven't seen. Update: 05/31 02:40 PM by T : Here's an informative explanation on apache.org of the break-in on that site.

19 of 220 comments (clear)

  1. Evil Overlord List, item #401 by XPulga · · Score: 5

    Whenever a site gets cracked, post an article on slashdot about it (even if you're half globe away with 5000 ms ping delay) so they get slashdotted too.

  2. Re:Rewarding the Hacker? by jonbrewer · · Score: 4

    Good lord, why not? Themes.org and Sourceforge aren't exactly conveying information of vital importance to anyone. Their cracking isn't going to affect the markets, political battles, holy wars, sickness, or starvation anywhere in the world.

    Why not reward the hacker by posting their conquest on Slashdot? Especially since they've proved their talent in such a benign way. And, of course, they've done the community a service by exposing vunerable security holes... which will hopefully be patched before some site of actual significance is hacked, sending the world into economic depression.

    (I sure wish someone had cracked the Florida electoral system beforehand...)

  3. This is why 4.4BSD invented the immutable bit by bee · · Score: 4

    Breakins like this are why the immutable bit was introduced in 4.4BSD. If you set your important executables immutable (ls, ps, ssh, etc) then even if someone does root your box, they can't change those without taking the machine down to single-user mode and changing it there, which in most cases can't be done without physical console access. This trick works for logfiles too; an immutable logfile can be appended to but not deleted or rewritten.

    ---

    --
    At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
  4. Re:Rewarding the Hacker? by JabberWokky · · Score: 5
    And, of course, they've done the community a service by exposing vunerable security holes... which will hopefully be patched before some site of actual significance is hacked, sending the world into economic depression.

    When it was announced that Sourceforge had been hacked, I was the only one that ventured the idea that it wasn't a technical hack, but a social one (okay, that sounds like I've got a swollen head, but the point is, most people lept to the conclusion that it was a technical hole, rather than a social one).

    Most likely, this will not be the only other OSDN and related sites that is defaced - if they got into Sourceforge and Themes.org on stolen passwords, they are probably collecting passwords, looking through history files, hammering through, searching for passwords to other sites. Since it's a fairly small pool of admins that all work together, it is likely that there are some overlap between admins. Plus the odd (and stupid) admin that uses the same passwords at multiple sites.

    Social engineering, stealing a password or swiping a laptop does not beneficially expose security holes unless the password was negligently left out, or the social engineering targeted somebody who shouldn't have had the password anyway. I know a large ISP (one of the, oh, say, top two) where most of the sales force knows the NT Admin password for all machines on the network. That's negligence.

    Having a laptop in session get swiped at Comdex means you better know what's on that laptop (and deal with it quickly), but at that point, can just be a race. And if you leave it at a restaurant, come back the next day to pick it up, unaware that the busboy is a 133t d00d, is that negligence (in a perfect world, yes. In reality, it's a bit more fuzzy).

    And of course, the tendancy towards smart cards (which aren't) will only make this problem worse. A bit of biometrics might help: a thumbpad on the side of the card, maybe.

    --
    Evan

    --
    "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
  5. Re:"What do you if you're owned" by Xofer+D · · Score: 5

    I think this would be a good time to link to The Linux Security HOWTO: What to Do During and After a Breakin , as well as of course the Linux Security HOWTO itself . Don't just read it. Implement it.

    --
    The Signal/Noise ratio can be improved in two ways. Remaining silent is the OTHER way.
  6. A better hack... by Polo · · Score: 5

    A better hack would to be crack slashdot, (possibly from Japan), then post a very subtle and believable story telling of other sites being compromised with "vulgar pictures"...

    and then chuckle in a maniacal way as the slashdot effect works as a DOS attack on those sites...

  7. Taco on "Crack" by QuantumG · · Score: 5

    sigh.

    --
    How we know is more important than what we know.
    1. Re:Taco on "Crack" by Cardhore · · Score: 5
      I agree.

      Remember when the word hacker used to mean someone who breaks into networks or writes code? And crackers were the ones who cracked the copy protection on software and had the "s3r1a1 #'s". They were always grouped with anarchy, virii, and wares all over the net.

      Who cares if "good" and "bad" hackers are called hackers? Most people can understand who you are if you take two minutes to explain which type you are . . . people are surprisingly able to understand these things if someone explains them to them. Most people are willing to listen; just talk to them.

      --
      Got friends?
  8. Mmm.... Infowar. by solios · · Score: 5

    First the DDOS attacks- and probably other sorts of similar high-profile hits before then. Then the discovery that M$'s internal network had been compromised; and now in the past week, Themes.org was cracked and Sourceforge was messed with. Slashdot was compromised a few months ago as well (and the staff was very open about what went down and how it had been possible), and I'm sure there are many others that are escaping my attention at the moment.

    Is it just me, or are these sorts of things on the rise- not only the frequency, but the profile of the target? How long until a *really* high profile, high volume portal or site such as Amazon, Ebay, or Yahoo gets 0wn3d?

    It's geurilla warfare- a war without soldiers, ammunition or human casualties. The attackers cannot be easily found, and even when they are, prosecuting them is difficult, if not impossible (extradition treaties, diplomatics, etceteras). From what I've seen, all of the major targets have been hosted on US soil- I wouldn't be surprised if many of the attackers were overseas. Firewalls don't seem up to the task, and neither do many sysadmins.

    What sort of tools exist to prevent this sort of thing (aside from simply using OpenBSD)? Any Gibsonian Black Ice? The TCP/IP equivalents of radar and surface-to-air missiles? Are any of them open sourced, and what is the state of their development?

    1. Re:Mmm.... Infowar. by dudle · · Score: 5
      What sort of tools exist to prevent this sort of thing (aside from simply using OpenBSD)?

      That's not right! You don't get protected from viruses just by installing Norton Antivirus, you have to constently update it, make sure you run the newest version, etc.

      Securing a system requires deep knowledge about that said system. I don't know shit about OpenBSD. Do you really think I will be more secure if I were to use OpenBSD tomorrow rather than Debian that I know pretty well? I don't think so either.

      Any Gibsonian Black Ice? The TCP/IP equivalents of radar and surface-to-air missiles? Are any of them open sourced, and what is the state of their development?

      Snort, logcheck and the like do help, as long as you stay up to date with BugTraq and you keep you head cold. The minute you think you are secure, you get screwed. All the tools in the world won't help you if you don't know how to use them.

      So what can we do? Well here is my humble opinion:
      Before you get owned

      • Knowledge is gold but documentation is golden.
      • Get a working backup solution in place

      Once you realize you're owned
      1. Unplug the box
      2. Get the hot spare and restore the data on it (you do have a hot spare I hope)
      3. Analyse the system in a post-mortem mode
      4. Reinstall the compromised system from scratch
      Good Luck.

      --
      Looking for a great online backup: Green Backup
  9. Mirror (I think) by chris88 · · Score: 5

    This is what I took from here. Which says it's a mirror.

  10. Re:The rant by zimbu · · Score: 5

    ....I wouldnt be sitting atop a mountain of roots and oodles of proprietary software..

    apache.org and sourceforge.com those are the first places I go to get my proprietary software.

  11. The rant by quickquack · · Score: 5
    Here's what the cracker posted:

    The site's "shell server" was compromised May 22 after a SourceForge employee logged on to an outside Internet service provider that had already been taken over by the intruder, said Pat McGovern, site director of SourceForge.net. When the staff member logged on to SourceForge remotely, the intruder captured the password.

    Well some of that is true, I mean I did trojan ssh but I did it about 5 months ago, so kudos to the admin you sir are awesome..

    "What happened was the (ISP) was compromised and had not known it," McGovern said, adding that the site's administrator quickly noticed the intruder and shut systems down. "Basically we had to go through and rebuild the machine, and then we checked the log file of everyone who used the machine."

    hrm I guess that could also be considered true, if by true you mean, finding out every box on your network is owned 5 months after the fact and only due to my own boredom that consisted of me ircing it infront of the admin, by the way good job of auditing your network, wait thats just too much sarcasm for one sentence..

    After the attack, VA removed the shell service until workers could reinstall the software and data on the server. The shell server allowed SourceForge members to type commands into the system remotely. On Thursday, the company posted an alert that the shell server couldn't be used because of an "unscheduled maintenance event."

    It also allowed me to sniff my way onto apache.org and sourceforge webserver and leave all sorts of goodies in the code..

    In this case, they only got into a shell server," McGovern said.

    Hey, theres no disputing that, I mean.. wait.. Whats this I'm defacing ?

    The company also decided to shut down its "compile farm," a collection of computers running different operating systems on which SourceForge developers can test their software.

    Why would they shut down other boxes, if only the shell server was hacked ?

    Although illicit modifications to the programming projects are a concern, McGovern said the intruder didn't get that far.
    oh come now, you're just being silly..

    Its ok thought I dont blame you guys, I mean atleast you admited to being schooled, thats more then I can say for akamai, but thats a different story all together.. But never the less, I'd like to thank valinux.. apache.. akamai and ofcourse exodus without their poor security and refusal to make security breaches known to the public I wouldnt be sitting atop a mountain of roots and oodles of proprietary software.. This is the fluffy bunny signing of.. beep..

    -fluffy@#blackpanthers on efnet (the scourge of efnet)

    Greets to: dianora.. tsk.. squrl.. cumstud.. glitch.. snow.. dwalrus.. cotton butt.. JAIL MITNICK! / FREE THE SHDWKNGHT!!!!!

    Note: I removed the /etc/passwd file at the end of this. Thought it would be nicer that way.
    ------------

    --
    ------------
    Tonight on Fox: Deadliest Executions Part XVII
  12. Someone should... by hyoo · · Score: 5

    ...hack goatse.cx and put up a non-vulgar picture.

  13. Rewarding the Hacker? by Alien54 · · Score: 5
    While it is nice to know that the site got hacked, aren't we rewarding the hacked by posting all to info in a public forum?

    Sort of between a rock and a hard place here. we need to inform the affected users, but we do not want to reward the hacker with the notoriety they crave.

    Check out the Vinny the Vampire comic strip

    --
    "It is a greater offense to steal men's labor, than their clothes"
    1. Re:Rewarding the Hacker? by swillden · · Score: 4

      And of course, the tendancy towards smart cards (which aren't) will only make this problem worse. A bit of biometrics might help: a thumbpad on the side of the card, maybe.

      As someone who designs and implements high-security access control systems for a living, I disagree that smart cards make the problem worse (and they are actually pretty smart). Yes, cards can be stolen, but in any reasonable implementation the cards perform access control on the usage of their stored secrets, requiring password or biometric authentication (actually, I'm not aware of any real-world, secure implementations that use biometrics because unless the matching is done either on the card or in another secure device that shares keys with the card, then biometric authentication is extremely weak).

      Even without a second authentication factor, and even without a secure token, the use of a cryptographic authentication mechanism does vastly improve security over weak, reused and occasionally even sniffable passwords. Applying two-factor authentication, with a secure token as one factor essentially eliminates a whole class of attacks. Use of a host security module on the server is also of great benefit, making it impossible for the attacker to get at the most valuable secrets in the event they manage to compromise the server.

      The tendency towards smart cards does in fact go a very long way towards solving this problem.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  14. Security by iCharles · · Score: 4
    Boy, the security on IIS/NT really sucks to allow such a hack to happen.

    Oh, yeah...

  15. Re:Out come the Wolves... by ocbwilg · · Score: 5

    I can see it now... PR folks from Microsoft, and other closed-source businesses are going to jump all over this (or related matters):

    Please...the absolute last thing MS wants to do is to actually get people started comparing the number of cracked web servers between NT/IIS and anything else. Even their corporate PR droids know that NT/IIS is by far the most exploited/cracked web server combination in the world (and disproportionately so when you consider that they have such a small percentage of the web server marketshare).

  16. This worries me... by Scoria · · Score: 4

    ... and it should worry you as well, if you use any of OSDN's services.

    That's right, any of them. After all, they're keeping very quiet about it and just about everything of OSDN's is getting cracked lately.

    Whoever this is, they must have root or access to sniff network traffic. It seems like whatever they don't already have access to, they can get it.

    Should you be worried? Yes. Is it overreacting? No.

    We rely on these people to keep our source (relatively) secure and disclose the problems that may be occuring...br>
    Will I be using SourceForge to store my code? No. I'll use a local box behind a firewall with no services, except a secure FTP daemon, allowed.

    If nothing else, at least keep a local backup, as many people don't seem to be doing this. They may have even installed a trojan into the box to insert code into the applications.

    Or maybe even a trojaned build of 'make.'

    You never know...

    --
    Do you like German cars?