This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Ubuntu forums back online after attack analysis reveals XSS tactic

Share this article:

The compromise of an individual account and configuration settings led to the recent issue with the Ubuntu forums.

According to a blog post, the Linux user forum is back up and running after an attacker accessed a moderator account and post announcements and private messages to three forum administrators.

The attacker claimed that there was a server error on the announcement page, asked the other administrator to look and was subsequently compromised also.

It said: “We believe the attacker added an cross-site scripting attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker. Once the attacker gained administrator access in the forums, they were able to add a hook through the administrator control panel.

“Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user' table to a file on disk which they then downloaded.”

Ubuntu determined that the attacker had full access to the vBulletin environment as an administrator and shell access as the ‘www-data' user on the Forums app servers. This access was used to download the ‘user' table which contained usernames, email addresses and salted and hashed (using md5) passwords for 1.82 million users.

However it does not know how the attacker gained access to the moderator account used to start the attack, or what cross-site scripting attack was used as the announcement the attacker posted was deleted by one of the Forum administrators.

In response, it has contacted users to change passwords, wiped and rebuilt servers and manually imported data into a fresh database after sanity checking each table.

It has also switched the forums to use Ubuntu single sign-on for user authentication, implemented automated expiry of inactive moderator and administrator accounts, reviewed and further hardened the firewalling around the Forums servers and switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else.

“There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings,” it said.


“We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. Finally, we'd like once again to apologize for the security breach, the data leak and downtime.”


At the time of reporting the attack, Ubuntu said that the forums had been down due to maintenance and confirmed that attackers had gained every user's local username, password and email address from the Ubuntu Forums database.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.