Project Hosting Service Fosshub Compromised, Embedding Malware Inside Hosted Files

At least some applications on Fosshub, a free project hosting service appear to have been compromised, according to several reports. (Update: Fosshub has acknowledged the hack.) The software portal, furthermore, is serving malware payloads, reports add. Catalin Cimpanu of Softpedia says that a hacking group which goes by the name of PeggleCrew is responsible for the hack. "In short, a network service with no authentication was exposed to the internet," the hacker told Softpedia in an email. "We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email." The hacker group told the publication that they have compromised the entire website, "including the administrator's email. He also revealed he didn't dump the site's database but claimed that "passwords weren't salted." A user on Reddit, who has since received lots of upvotes, adds: Some popular apps that have links to FossHub that may be infected include: Audacity, WinDirStat, qBittorrent, MKVToolNix, Spybot Search&Destroy, Calibre, SMPlayer, HWiNFO, MyPhoneExplorer, and IrfanView.Another application which has reportedly been compromised is Classic Shell. It is ostensibly overwriting the MBR on users' computers. Many users are upset with the timing of hack, noting that plenty of people were looking for Classic Shell amid the release of Windows 10 Anniversary Update. Update: 08/03 17:30 GMT by M :In a blog post, Audacity said that Fosshub was serving a hacked copy of its audio editing software for three hours. It adds that "no Audacity Team infrastructure was compromised." Fosshub team writes: Last night we had a security incident caused by a group of hackers that allowed them to log-in to FossHub developer *through* an user that was compromised. Shortly after, we noticed two users that were compromised. They simply logged-in using their passwords and this allowed them to escalate. [...] Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage. FossHub.com is down on purpose until we are able to identify the way hackers were able to escalate. Fosshub insists that the hacked copy of Classic Shell was only downloaded 300 times. In the meantime, if you know someone who may have downloaded the compromised copy of Classic Shell, here's what they need to do next.

Well, crap

[Snotnose]

I updated Classic Shell yesterday. How do I tell if my MBR got re-written, or other malware got installed?

Re:Well, crap

[OverlordQ]

make a rescue disk. Reboot. If you can, you're fine, if not use rescue disk to rebuild mbr

Re:Well, crap

I updated Classic Shell yesterday. How do I tell if my MBR got re-written, or other malware got installed?

I just installed it too, immediately after installing the Anniversary Edition update.

Oh fuck me.

Re:Well, crap

You already been done fucked, son.

Re:Well, crap

Install Linux.

Re:Well, crap

That strategy didn't work out too well for FossHub themselves, did it?

Re:Well, crap

I bit the bullet and rebooted. I still seem to be here.

Re:Well, crap

[RDW]

First check if you installed the clean version:

http://www.classicshell.net/fo...

Otherwise, don't reboot yet, do a backup now, then follow the instructions from the link in the story above.

What the story doesn't mention is that MS helpfully deletes Classic Start Menu (well, moves it to Windows.old) when the Anniversary Update is installed, which is the only reason people were downloading a fresh copy of the Classic Shell installer rather than using the built-in update function (which wasn't affected by the malware).

Re:Well, crap

[mobby_6kl]

Why don't you reboot the system and see? =)

I have to say that as much as it sucks for those affected (which is not that much, since it's just the MBR), this virus is like a breath of fresh retro-air. Check out the message

Ahh, it's like being in 1998 again and getting your drive wiped by CIH. Those were the days.

Malware host file

I don't know anything about malware hosted files... but I can tell you a lot about apk's malware infested host file.

it's ok, all install packages are signed in 2016..

...right? right?

Well, that just sucks - I love Classic Shell

It's one of the best programs since Windows 8 came out.

Re:Well, that just sucks - I love Classic Shell

[lhowaf]

Cool story Bro. How much did you donate?

Send negligent website operators to prison

There's really no excuse for a site being compromised in this manner. In order to gain such access, there must be extreme negligence, one instance of which is the lack of salted passwords. This is all too common, yet website operators who should know better fail to properly secure their sites. At some point, sorry isn't enough, and we need to start imposing real penalties for negligent security practices. If a business made this mistake, there would be calls for sanctions against the business. It's time to send website operators to prison, regardless of whether it's for business or not, when they should know better and their negligence can harm other users. Maybe security will improve when people start going to jail for criminal negligence.

Re:Send negligent website operators to prison

Maybe security will improve when web admins stop wasting their time on Slashdot and Reddit...that and #anonops, of course.

Stop relying on other websites

Stop relying on project-hosting websites like Fosshub, Github, etc. Host your own damn projects on your own website on your own servers.

Re:Stop relying on other websites

[tepples]

Which web-based or otherwise graphical tool to manage a Git remote on your own server, as well as issues and pull requests and other things that code hosting services do for their users, do you recommend?

Re:Stop relying on other websites

[Night+Goat]

GitLab. It's basically a fork of GitHub and does the same sort of stuff.

Any timeline on the compromise?

[Nanoda]

I couldn't find any information on _when_ this was likely to have happened. I use 1/2 that list at home and the office, but haven't updated any in a few weeks at least, so I'd like to check that out.

Re:Any timeline on the compromise?

I couldn't find any information on _when_ this was likely to have happened.

According to the Audacity project, the malware was being served "For about 3 hours on August 2nd 2016". See

http://www.audacityteam.org/compromised-download-partner/

All the World's a Stage

and we are mearly players in various subdivisions. Conform! Or be cast out!

Re:All the World's a Stage

women made from the bone, for the bone.

Re:All the World's a Stage

[The-Ixian]

I think you have your Rush albums confused...

Re:=IT DID NOT HAPPEN= SLASHFUD

Also look at what they said in the summary here

Some popular apps that have links to FossHub that may be infected include: Audacity, WinDirStat, qBittorrent, MKVToolNix, Spybot Search&Destroy, Calibre, SMPlayer, HWiNFO, MyPhoneExplorer, and IrfanView.

Simply put, if they think those may be infected it is a simple restore from backup from like all over the Internet literally.

"THAT MAY BE INFECTED" oh yeah, seriously guys. No, seriously ya.

Ouch

Ouch.

That site was pretty thoroughly compromised. It's going to take ages to clean up this mess. If it was me, I don't think I could ever trust that site to host my files again.

My only concerns now are: where source repositories compromised and is there any chance compromised applications will make it - or have made it - into, say, Debian or Fedora, or did the compromise just affect Windows installers (as the summary implies)?

Re:=IT DID NOT HAPPEN= SLASHFUD

Yep it is FUD. It may take 20 minutes to put the right MD5'd files back up, only because of having to change passwords.

An email to Softpedia is Social Engineering in-reverse 101.

usually you send an email to get somebody to believe something so you can hack them.

In this case it is an email to a bullshit site claiming they were already hacked. Same deal. Social engineering but posted on Slashdot as news.

Fuck you Slashdot. Use your heads ok?

Re:=IT DID NOT HAPPEN= SLASHFUD

They say the hacker group is PeggleCrew

That is a US government hacking group. I know my hackers.

OurMine is Israel but not state sponsored.

Anonymous is Israel state sponsored.

Lizard Squad is NSA.

Re:=IT DID NOT HAPPEN= SLASHFUD

Well what it sounds like then, if PeggleCrew is a government crew, and this story is a lie. The government are pushing lies on Slashdot now.

Many users are upset with the timing of hack

"Many users are upset with the timing of hack"

That makes it sound like that Fosshub choose when they were to get hacked.

Re:WHAT A MIGHTY BIG SUMMARY YOU HAVE LIARS

OH YEAH. Hackers are totally targeting image viewer installers now. It was through some audio editing software and shit. Totally got over on those clowns. mmhm yep. Fucked them royal, no KY. This is the new age new age of bullshit.

The motive? Fuck Windows installers of open source shit. yeah, hate it when they go to war and shit.

Total all out anarchy online now, better lock down the interwebs. We need Microsoft's security team to contact Google now. This could go global.

thermo

nuclear

warfare.

falken.

Based on the comments i've read here, Slashdot

look like some bitches now. Maybe soylentnews now?

Re:Based on the comments i've read here, Slashdot

New submitter: PINOCCHIO says, no everything Slashdot said is for sure gospel.

MINUS 1 MINUS 1 MINUS 1 IT IS THE TRUTH THEN

HEADS UP, this is a fact. Nothing gets -1 unless it demands attention.

WinDirStat

I actually got burned with WinDirStat (trying to free up space in a VM). Since it was a VM, no big loss/deal to fix. Now I just have to figure out why the new Windows 10 Anniversary Update logs me out automatically. *sigh*

Re:WinDirStat

Sure you did.

Perfect timing to find out your free disk space in Windows with a port of kdirstat. Everybody who knows about the port also uses Windows 10 because windirstat and kdirstat are 24/7 front page of the Wall Street Journal.

You lying piece of shit. You just happened to download a hosed port of a linux app at the time it was allegedly corrupted... and you also use AND NAME the anniversary update of windows 10

You are very articulate with Windows update naming *bullshit* but you somehow are just unlucky enough to install windirstat onto your Windows 10 ANNI ANNI ANNNNIVERSARY improvement, update, increased, better, brand new, stylin, get all the bitches, update upgrade.

shut your ass.

"I actually got burned". Mother fucker just jump off a building.

Re:WinDirStat

You wish you could bullshit everybody don't you?

Classic Shell info

[Futurepower(R)]

This is a discussion of the temporarily infected Classic Shell installation file: W10 anniversary update, installed CS4.3, had to repair OS.

Clean: ClassicShellSetup_4_3_0.exe
MD5: e10881b65c27c6e09e5a33cd8bcd99c6
SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364
File size: 7220496 bytes

Infected: ClassicShellSetup_4_3_0.exe
MD5: c67dff7c65792e6ea24aa748f34b9232
SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
File size: 7148732 bytes

Re:Classic Shell info

Checked. According to the hashes I'm clean. Guess I dodged a bullet?

On the bright side, I did learn about several rescue tools very, very quickly. So there's that.

Re:=IT DID NOT HAPPEN= SLASHFUD

Further, nobody using open source is going to also use Reddit.

Lie.

Should have used APPS!

Only LUDDITES infect Appdows 10 with LUDDITE Classic Shell because they're too stupid to use appy app apps!

Apps!

Re:Should have used APPS!

You need some new material, son. Your act is getting old.

Re:=IT DID NOT HAPPEN= SLASHFUD

So Fosshub's statement acknowledging the hack means nothing?

No TLS

If a popular downloading website doesn't secure their site with TLS then they deserve to get hacked. Ninite is much better to package your downloads anyway. This website needs to burn.

Re:No TLS

[laurencetux]

to be exact if you drop more than say US$18 a month in fixing folks computers then getting Ninite Pro should be something you do NOW

(and if you need one of the bigger subs then please tell me you are not doing your software installs manually)

SOHO computer techs are what Ninite Pro is designed for

Softpedia - pot meet kettle

This is the Softpedia which scrapes open-source project sites for files and then downloads them to their servers to offer to the world.
Softpedia tends to host chunks of the original content, and not all of the content. In the case of many open-source projects, they have one or two versions and they are not the most recent.

Softpedia should STFU, fucking parasites.

They are hijacking open source projects and have as much integrity as the u.s. government or that dead fuck which used to run apple.

qBittorrent GPG signatures

qBittorrent has GPG signed files. It also double hosts them on FossHub and Sourceforge.

Microsoft will soon change the name to EVILSoft.

"Windows logo when you start up? Then you got malware installed."

More technically precise: Should be "Then you got EVIL installed." Malware is destructive in only one or a few ways. With Windows 10, Microsoft plans an ongoing delivery of EVIL.

Slashdot == Pinocchio is an insult to Pinocchio

[tepples]

Contrary to popular misconception, Pinocchio is not a pathological liar in the story but instead someone who learns from his mistakes, including learning not to need to lie. If only Slashdot were the same way.

Re:=IT DID NOT HAPPEN= SLASHFUD

No, you're just a moron. Classic Shell forum post about the hack and a screenshot which is exactly what I saw. Jesus, you're a bunch of pathetic paranoid fucks.

Website gets hacked, a few suckers (like me) have to fix their mbr (and partition as it breaks that too for some), and life goes on.