Jump to content

Ubuntu Forums hack


gpdjohn

Recommended Posts

as explained in a ZD Net article,

In its latest announcement, Canonical broke down its understanding of how it believes it had been breached.

The initial attack happened on July 14, with a moderator account used to post an announcement on the forum. The announcement itself is believed to have contained a cross-site scripting (XSS) attack, designed to steal the login session information from the victim's browser cookie. The compromised moderator account was then used to message three of the boards' administrators, allowing the attacker to hijack an administrator's login session.

Once armed with the administrator's privileges, the attacker then inserted a "hook" in the vBulletin web-forum software to allow them to execute arbitrary code. This hook was in turn used to upload two shell kits, giving the attacker the same privileges on the server as the process running vBulletin — in this case, it was limited to www-data, an account with restricted access to the server, commonly used only for web services.

While this account doesn't provide root access to the rest of the server, it did allow the attacker to dump user information, making off with the usernames, email addresses, and salted and md5-hashed passwords for 1.82 million users.

The missing pieces of the puzzle are how the attacker originally gained access to the moderator account, and what XSS attack was used as one of the administrators deleted the post that triggered it.

Cleaning up its breach, Canonical has reset all system and database passwords, rebuilt the servers running vBulletin, informed all users, and moved to its Ubuntu Single Sign On system for logins. It has also closed off the ability for hooks to be modified or added, disabled the ability for moderators to potentially post code that could allow XSS attacks, and implemented the automatic expiry of inactive moderator and administrator accounts.

Other good housekeeping measures include reviewing and hardening its server configuration and firewall policies, and forcing HTTPS for administrators and moderators.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...