This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Ubuntu forums back online after attack analysis reveals XSS tactic

Share this article:

The compromise of an individual account and configuration settings led to the recent issue with the Ubuntu forums.

According to a blog post, the Linux user forum is back up and running after an attacker accessed a moderator account and post announcements and private messages to three forum administrators.

The attacker claimed that there was a server error on the announcement page, asked the other administrator to look and was subsequently compromised also.

It said: “We believe the attacker added an cross-site scripting attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker. Once the attacker gained administrator access in the forums, they were able to add a hook through the administrator control panel.

“Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user' table to a file on disk which they then downloaded.”

Ubuntu determined that the attacker had full access to the vBulletin environment as an administrator and shell access as the ‘www-data' user on the Forums app servers. This access was used to download the ‘user' table which contained usernames, email addresses and salted and hashed (using md5) passwords for 1.82 million users.

However it does not know how the attacker gained access to the moderator account used to start the attack, or what cross-site scripting attack was used as the announcement the attacker posted was deleted by one of the Forum administrators.

In response, it has contacted users to change passwords, wiped and rebuilt servers and manually imported data into a fresh database after sanity checking each table.

It has also switched the forums to use Ubuntu single sign-on for user authentication, implemented automated expiry of inactive moderator and administrator accounts, reviewed and further hardened the firewalling around the Forums servers and switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else.

“There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings,” it said.

 

“We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. Finally, we'd like once again to apologize for the security breach, the data leak and downtime.”

 

At the time of reporting the attack, Ubuntu said that the forums had been down due to maintenance and confirmed that attackers had gained every user's local username, password and email address from the Ubuntu Forums database.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.