Feeds

Apache.org owned by white hats

Hacking as a spiritual work of mercy

  • alert
  • submit to reddit

The essential guide to IT transformation

Friendly strangers briefly took over the Apache Software Foundation server by exploiting a series of common configuration errors, and then announced their presence by inserting an advertisement for Microsoft at the bottom of the home page.

The open-source Apache is the most popular HTTP page server software currently in use. The intruders gained root access to Apache.org and could have done considerable damage, including replacing the Apache software offered for download with versions containing a Trojan which would have given them access to servers running all subsequent copies downloaded from the Apache.org Web site. In spite of the damage they could have done, they confined themselves to verifying their exploits, fixing one hole in Apache.org's server configuration, and leaving behind a harmless reminder.

They also posted the full details of their exploits. The intruders originally gained easy access via FTP, discovered a plethora of world-writable directories (tsk, tsk), and installed a simple BIND shell which they could execute remotely via Telnet and from which they learned what services were running and the contents of most directories. Apache.org was running the BugZilla bug-tracking software, which requires a Mysql account. They found Mysql available locally and running as user root, though the BugZilla documentation warns against running Mysql as root.

"We hacked www.apache.org because there are a lot of servers running apache software and if www.apache.org got compromised, somebody could backdoor the apache server source [code] and end up having lots of owned boxes," the intruders said. "We just couldn't allow this to happen, we secured the main ftproot==wwwroot thing. While having owned root we just couldn't stand the urge to put that small logo on it." The intruders, who go by the aliases {} and Hardbeat, showed a bit of purist pride.

"We didn't wanted [sic] to use any buffer overflow or some lame exploit; [our] goal was to reach root with only configuration faults," they explained. Apache.org took the exploit in the spirit in which it was meant. "They seemed friendly. It would have been nice if they hadn't put the damned Microsoft logo up, but I guess they had to do something to get attention," Apache Software Foundation director Rasmus Lerdorf said in an interview with CNET. "We can only blame ourselves. It's quite embarrassing, but it's a good little heads-up," Lerdorf reportedly said. This has to qualify him as the kewlest corporate suit in the known universe.

Boost IT visibility and business value

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws
Yep, that one place you'd hoped you wouldn't find 'em
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
Broadband slow and expensive? Blame Telstra says CloudFlare
Won't peer, will gouge for Internet transit
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?