Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
www.apache.org Cracked

By rusty in News
Thu May 04, 2000 at 03:48:53 PM EST
Tags: Security (all tags)
Security

An email from Brian Behlendorf to the modperl mailing list alerts us that the main webserver for the Apache project was compromised, through misconfigurations of FTP and Bugzilla (the bug-tracking system created originally for the Mozilla project). The admins were made aware of the problem by the appearance a banner ad for Microsoft Back Office on www.apache.org, and have been in contact with those who found the hole. Behlendorf stresses the fact that this was *not* due to a hole in Apache, or any related products, but came about through overly lax administration policies. Apache.org will no longer run FTP, and Behlendorf recommends you double-check the PGP signatures on anything you download from them for a while. He also notes that they will not be running bugzilla until it has been throroughly audited, and is in search of a suitable replacement. More details will be posted to Bugtraq when they are available. Update [2000-5-5 2:12:41 by rusty]: Here's how it was done. Clever little multi-layer crack.


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o email from Brian Behlendorf
o Bugzilla
o Mozilla
o Bugtraq
o how it was done
o Also by rusty


Display: Sort:
www.apache.org Cracked | 25 comments (25 topical, editorial, 0 hidden)
Man I've been seeing this a lot. O... (none / 0) (#3)
by marlowe on Thu May 04, 2000 at 01:42:30 PM EST

marlowe voted 1 on this story.

Man I've been seeing this a lot. Overly lax administration policies. Or as HAL would say, "human error". Kinda begs the question of why there's so much laxness around.
-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --

Re: Man I've been seeing this a lot. O... (4.50 / 2) (#17)
by Anonymous Hero on Thu May 04, 2000 at 06:37:54 PM EST

http://www.dataloss.net/papers/how.defaced.apache.org.txt has the 'How They Did it'. One of the guys is a sysadmin of Vuurwerk, one of Hollands largest webhosters.

[ Parent ]
Re: Man I've been seeing this a lot. O... (none / 0) (#19)
by Marcin on Thu May 04, 2000 at 07:02:58 PM EST

http://www.dataloss.net/papers/how.defaced.apache.org.txt has the 'How They Did it'. One of the guys is a sysadmin of Vuurwerk, one of Hollands largest webhosters.

It's really 'cool' to see how 'proper' crackers work, rather than some lameass script kiddies. And having this sort of info published means you can look out for the same vulnerabilities on your system.
M.
[ Parent ]

I think it's very important that th... (none / 0) (#2)
by Y on Thu May 04, 2000 at 01:52:02 PM EST

Y voted 1 on this story.

I think it's very important that this information gets out, especially the part about checking downloads from the site against a PGP key. Apache plays a large role on servers worldwide, so it would be best to exercise caution until the dust has cleared.

I'm a tad confused. Is bugzilla ref... (none / 0) (#5)
by nicktamm on Thu May 04, 2000 at 02:06:10 PM EST

nicktamm voted 1 on this story.

I'm a tad confused. Is bugzilla refering to Mozilla, or something else which I haven't heard of? A mod for apache? Interesting story though.
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org

Re: I'm a tad confused. Is bugzilla ref... (none / 0) (#11)
by rusty on Thu May 04, 2000 at 03:55:04 PM EST

I added a link to bugzilla-- it's a perl bug-tracking system that mozilla.org developed for the mozilla project. Apache was using it for development, and a lot of other free software projects use it as well. Hopefully the bugzilla compromise is not universal. That would be Bad.

____
Not the real rusty
[ Parent ]
They were letting rusty do their ad... (4.00 / 1) (#6)
by MadDreamer on Thu May 04, 2000 at 02:09:56 PM EST

MadDreamer voted 1 on this story.

They were letting rusty do their administration eh?

Very funy. :-) (nm) (none / 0) (#10)
by rusty on Thu May 04, 2000 at 03:53:33 PM EST



____
Not the real rusty
[ Parent ]
I wonder if ZD will use this as "ev... (none / 0) (#1)
by evro on Thu May 04, 2000 at 02:16:06 PM EST

evro voted 1 on this story.

I wonder if ZD will use this as "evidence" that open source projects don't work (regardless of the fact that Apache itself wasn't the source of the problem).
---
"Asking me who to follow -- don't ask me, I don't know!"

Re: I wonder if ZD will use this as (none / 0) (#18)
by Marcin on Thu May 04, 2000 at 06:56:03 PM EST

I wonder if ZD will use this as "evidence" that open source projects don't work (regardless of the fact that Apache itself wasn't the source of the problem).

When I read the story I cringed a little (well, on the inside ;) ) becuase I can just see a whole bunch of articles saying "OPEN SOURCE APACHE WEBSERVER CRACKED!" and whatever.

Then again, you have to admit that places like /. are guilty of this sort of thing when it comes to IIS. I've seen plenty of stories saying that a massive security hole was found in IIS only to have a retraction a few hours later. I'm not defending MS here, i'm just making a point about zealotry ;)
M.
[ Parent ]

Re: I wonder if ZD will use this as (none / 0) (#23)
by rusty on Thu May 04, 2000 at 11:56:22 PM EST

Hear, hear. Remember the Front Page "backdoor"? Pshaw. I always hesitate when I hear about some big new security vulnerability before reporting it, because like email viruses, 90% of them are hoaxes, or at worst, misinterpretations. In this case, it was a definite event and I thought it was worth letting people know, especially since it was the root distribution machine for a very widely used software package. But yeah, every site has their bias, and /. and ZDNet, despite falling on different sides of the fence, engage in generally the same kind of thing. I hope we'll avoid most of that here, but time will tell.

____
Not the real rusty
[ Parent ]
This is a pretty important story, a... (none / 0) (#4)
by dlc on Thu May 04, 2000 at 02:24:41 PM EST

dlc voted 1 on this story.

This is a pretty important story, and should get out there.


(darren)

important news.... (none / 0) (#7)
by thelaw on Thu May 04, 2000 at 03:35:51 PM EST

thelaw voted 1 on this story.

important news.

How long have they been compromised... (none / 0) (#8)
by h2odragon on Thu May 04, 2000 at 03:48:53 PM EST

h2odragon voted 1 on this story.

How long have they been compromised?

Re: How long have they been compromised... (none / 0) (#9)
by rusty on Thu May 04, 2000 at 03:52:52 PM EST

All the details I have are in the email linked to above. I assume more detailed info will appear on bugtraq in due time. He does say that the intruder was one of the good-guys, and wasn't trying to break in for evil purposes (he let them know immediately). But that does open the possibility that the nice guy was not the first to find the problem.

____
Not the real rusty
[ Parent ]
Attrition Mirror (3.00 / 1) (#12)
by Anonymous Hero on Thu May 04, 2000 at 04:19:43 PM EST

The Attrition mirror of the hacked site is available here. It's pretty funny, check out the image as well as it's ALT tag.

OSS cracks vs Mac, Win, Unix(tm) (none / 0) (#13)
by FlinkDelDinky on Thu May 04, 2000 at 05:17:59 PM EST

Here on K5 I read a lot of stories about cracks. Most seem to be Linux oriented. As a Linux user, trying unseccesfully to get cable modem access, I'm a little concerned.

If I do get cable access, would Win98 be more secure than my Debian Linux (no networking services, this is just a home computer workstation, I browse the net, nobody browses me)?

I don't hear about any devestating NT breakins, just Linux. Is it that K5 is so heavily freenix oriented that nobody cares about the other guys problem?

I'm a security newbie so don't break out your flamethrowers, besides I'm really skinny so the eatin won't be to tasty.

Re: OSS cracks vs Mac, Win, Unix(tm) (none / 0) (#14)
by rusty on Thu May 04, 2000 at 05:27:16 PM EST

Basically, yes-- NT or windows vulnerabilities hold little interest for me. They happen all the time, I just don't come across them much, and no one seems to submit them. No, your debian box will be perfectly secure if you set it up to be so. If you don't need network services, shut them off. Edit /etc/inetd.conf to not run any services you don't need, and check your init scruipts to see what gets turned on by default, and turn it off. Chances are that if you do these fairly simple things, your box will be more secure than a Win98 box would be. Don't get the idea that linux is insecure just because we report on vulnerabilities here-- in fact, that ought to be reassuring. A system without any public security advisories is probably the worst choice for a secure system. :-)

____
Not the real rusty
[ Parent ]
Re: OSS cracks vs Mac, Win, Unix(tm) (none / 0) (#21)
by Anonymous Hero on Thu May 04, 2000 at 09:02:20 PM EST

Edit /etc/inetd.conf to not run any services you don't need...

Or just turn inetd off. Home users don't usually need to run services.

Also, many Linux/UNIX vulnerabilities enable an attacker to gain root access to a system. With Win9x, anyone walking up to the system already has root access - that's why you'll never hear about a Win9x root-access vulnerability.

[ Parent ]

Re: OSS cracks vs Mac, Win, Unix(tm) (none / 0) (#20)
by techt on Thu May 04, 2000 at 07:19:53 PM EST

Somewhat related information on the number of Defacements byOperating System can be found on attrition.org. They compare Windows NT, Linux, BSD, and All Others from August 1, 1999 to May 1, 2000. Take a look at a graph of all defacements combined.
--
Proud member of the Electronic Frontier Foundation!
Are You? http://www.eff.org/support/joineff.html
[ Parent ]
A thought on security (none / 0) (#15)
by Notromda on Thu May 04, 2000 at 05:29:29 PM EST

Saying that Windows is more secure than linux is like saying you are more likely to get run over in the middle of the street than on the sidewalk. Well, duh, but you can't drive cars on the side walk. Windows98 doesn't offer as many services, and thus is less likely overall to be cracked. Is it more secure? no... Turn off all the services on a Linux box, and it's probably more secure.

At least with Linux(or BSD's) you can easily tell what open ports you have... netstat -a

Re: A thought on security (none / 0) (#16)
by fvw on Thu May 04, 2000 at 06:24:30 PM EST

Hate to dip my fly in your ointment, but actually windows can do that aswell....

[ Parent ]
Windows Security. (none / 0) (#24)
by Inoshiro on Fri May 05, 2000 at 01:42:47 AM EST

Technically speaking, Windows 9x is secure because it is "dumb" .. ;-)

It is the general "quality" of the end users on Win9x that lead to trojans installing themselves. Rarely are the remotely explotiable bugs bad enough that you can stick in code (remote root).



--
[ イノシロ ]
[ Parent ]
bugzilla is a pretty big kludge... (none / 0) (#22)
by otis wildflower on Thu May 04, 2000 at 11:23:22 PM EST

.... and it pretty much requires you to run mysql very insecurely, as well as have the web user be able to write files in the bugzilla tree. you need to be somewhat of a whiz to get it running securely, and/or break functionality you might otherwise want (like compiling mysql to not include networked client capabilities). I haven't tried it with suEXEC yet, I just got it running in-house for a trouble-ticket system.

Not too far away from misconfiguring to allow exploits, but Bugzilla does need to run more securely.

Whine whine, I don't have the time time to fix it..


[root@usmc.mil /]# chmod a+x /bin/laden
I don't feel so bad.... (none / 0) (#25)
by Notromda on Fri May 05, 2000 at 09:58:59 AM EST

I guess maybe my security skills are better than average, after all, if sites like apache.org can get rooted by such simple methods... Well, it was a good hack, but... world writable directories, where ftp uploads can place files? whoops! That sounds like the "hack NT vs Linux" contest - the initial flaw was a writable cgi-bin directory by the same owner as the webserver.

The warning about not running mysql as root is a good one though - I just recently made that change myself, and it is indeed easier to sleep at night, now that I have very few processes actually running as root.

www.apache.org Cracked | 25 comments (25 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!