Feeds

Apache.org owned by white hats

Hacking as a spiritual work of mercy

  • alert
  • submit to reddit

High performance access to file storage

Friendly strangers briefly took over the Apache Software Foundation server by exploiting a series of common configuration errors, and then announced their presence by inserting an advertisement for Microsoft at the bottom of the home page.

The open-source Apache is the most popular HTTP page server software currently in use. The intruders gained root access to Apache.org and could have done considerable damage, including replacing the Apache software offered for download with versions containing a Trojan which would have given them access to servers running all subsequent copies downloaded from the Apache.org Web site. In spite of the damage they could have done, they confined themselves to verifying their exploits, fixing one hole in Apache.org's server configuration, and leaving behind a harmless reminder.

They also posted the full details of their exploits. The intruders originally gained easy access via FTP, discovered a plethora of world-writable directories (tsk, tsk), and installed a simple BIND shell which they could execute remotely via Telnet and from which they learned what services were running and the contents of most directories. Apache.org was running the BugZilla bug-tracking software, which requires a Mysql account. They found Mysql available locally and running as user root, though the BugZilla documentation warns against running Mysql as root.

"We hacked www.apache.org because there are a lot of servers running apache software and if www.apache.org got compromised, somebody could backdoor the apache server source [code] and end up having lots of owned boxes," the intruders said. "We just couldn't allow this to happen, we secured the main ftproot==wwwroot thing. While having owned root we just couldn't stand the urge to put that small logo on it." The intruders, who go by the aliases {} and Hardbeat, showed a bit of purist pride.

"We didn't wanted [sic] to use any buffer overflow or some lame exploit; [our] goal was to reach root with only configuration faults," they explained. Apache.org took the exploit in the spirit in which it was meant. "They seemed friendly. It would have been nice if they hadn't put the damned Microsoft logo up, but I guess they had to do something to get attention," Apache Software Foundation director Rasmus Lerdorf said in an interview with CNET. "We can only blame ourselves. It's quite embarrassing, but it's a good little heads-up," Lerdorf reportedly said. This has to qualify him as the kewlest corporate suit in the known universe.

High performance access to file storage

More from The Register

next story
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.