Slashdot Mirror

← Back to Stories (view on slashdot.org)

Project Hosting Service Fosshub Compromised, Embedding Malware Inside Hosted Files (softpedia.com)

Posted by msmash on from the security-woes dept.

At least some applications on Fosshub, a free project hosting service appear to have been compromised, according to several reports. (Update: Fosshub has acknowledged the hack.) The software portal, furthermore, is serving malware payloads, reports add. Catalin Cimpanu of Softpedia says that a hacking group which goes by the name of PeggleCrew is responsible for the hack. "In short, a network service with no authentication was exposed to the internet," the hacker told Softpedia in an email. "We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email." The hacker group told the publication that they have compromised the entire website, "including the administrator's email. He also revealed he didn't dump the site's database but claimed that "passwords weren't salted." A user on Reddit, who has since received lots of upvotes, adds: Some popular apps that have links to FossHub that may be infected include: Audacity, WinDirStat, qBittorrent, MKVToolNix, Spybot Search&Destroy, Calibre, SMPlayer, HWiNFO, MyPhoneExplorer, and IrfanView.Another application which has reportedly been compromised is Classic Shell. It is ostensibly overwriting the MBR on users' computers. Many users are upset with the timing of hack, noting that plenty of people were looking for Classic Shell amid the release of Windows 10 Anniversary Update. Update: 08/03 17:30 GMT by M :In a blog post, Audacity said that Fosshub was serving a hacked copy of its audio editing software for three hours. It adds that "no Audacity Team infrastructure was compromised." Fosshub team writes: Last night we had a security incident caused by a group of hackers that allowed them to log-in to FossHub developer *through* an user that was compromised. Shortly after, we noticed two users that were compromised. They simply logged-in using their passwords and this allowed them to escalate. [...] Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage. FossHub.com is down on purpose until we are able to identify the way hackers were able to escalate. Fosshub insists that the hacked copy of Classic Shell was only downloaded 300 times. In the meantime, if you know someone who may have downloaded the compromised copy of Classic Shell, here's what they need to do next.

14 of 57 comments (clear)

  1. Well, crap by Snotnose · · Score: 2

    I updated Classic Shell yesterday. How do I tell if my MBR got re-written, or other malware got installed?

    1. Re:Well, crap by OverlordQ · · Score: 1

      make a rescue disk. Reboot. If you can, you're fine, if not use rescue disk to rebuild mbr

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Well, crap by RDW · · Score: 1

      First check if you installed the clean version:

      http://www.classicshell.net/fo...

      Otherwise, don't reboot yet, do a backup now, then follow the instructions from the link in the story above.

      What the story doesn't mention is that MS helpfully deletes Classic Start Menu (well, moves it to Windows.old) when the Anniversary Update is installed, which is the only reason people were downloading a fresh copy of the Classic Shell installer rather than using the built-in update function (which wasn't affected by the malware).

    3. Re:Well, crap by mobby_6kl · · Score: 2

      Why don't you reboot the system and see? =)

      I have to say that as much as it sucks for those affected (which is not that much, since it's just the MBR), this virus is like a breath of fresh retro-air. Check out the message

      Ahh, it's like being in 1998 again and getting your drive wiped by CIH. Those were the days.

  2. Malware host file by Anonymous Coward · · Score: 1

    I don't know anything about malware hosted files... but I can tell you a lot about apk's malware infested host file.

  3. Any timeline on the compromise? by Nanoda · · Score: 2

    I couldn't find any information on _when_ this was likely to have happened. I use 1/2 that list at home and the office, but haven't updated any in a few weeks at least, so I'd like to check that out.

  4. Ouch by Anonymous Coward · · Score: 1

    Ouch.

    That site was pretty thoroughly compromised. It's going to take ages to clean up this mess. If it was me, I don't think I could ever trust that site to host my files again.

    My only concerns now are: where source repositories compromised and is there any chance compromised applications will make it - or have made it - into, say, Debian or Fedora, or did the compromise just affect Windows installers (as the summary implies)?

  5. Re:All the World's a Stage by The-Ixian · · Score: 2

    I think you have your Rush albums confused...

    --
    My eyes reflect the stars and a smile lights up my face.
  6. Classic Shell info by Futurepower(R) · · Score: 3, Informative

    This is a discussion of the temporarily infected Classic Shell installation file: W10 anniversary update, installed CS4.3, had to repair OS.

    Clean: ClassicShellSetup_4_3_0.exe
    MD5: e10881b65c27c6e09e5a33cd8bcd99c6
    SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364
    File size: 7220496 bytes

    Infected: ClassicShellSetup_4_3_0.exe
    MD5: c67dff7c65792e6ea24aa748f34b9232
    SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
    File size: 7148732 bytes

  7. Re:No TLS by laurencetux · · Score: 1

    to be exact if you drop more than say US$18 a month in fixing folks computers then getting Ninite Pro should be something you do NOW

    (and if you need one of the bigger subs then please tell me you are not doing your software installs manually)

    SOHO computer techs are what Ninite Pro is designed for

  8. Re:Well, that just sucks - I love Classic Shell by lhowaf · · Score: 1

    Cool story Bro. How much did you donate?

  9. Re:Stop relying on other websites by tepples · · Score: 1

    Which web-based or otherwise graphical tool to manage a Git remote on your own server, as well as issues and pull requests and other things that code hosting services do for their users, do you recommend?

  10. Slashdot == Pinocchio is an insult to Pinocchio by tepples · · Score: 2

    Contrary to popular misconception, Pinocchio is not a pathological liar in the story but instead someone who learns from his mistakes, including learning not to need to lie. If only Slashdot were the same way.

  11. Re:Stop relying on other websites by Night+Goat · · Score: 1

    GitLab. It's basically a fork of GitHub and does the same sort of stuff.