Feeds

'1337 hacker' scrawls all over careless coders' SourceForge sites

'If others did this, they might not have been so nice'

Intelligent flash storage arrays

Someone claiming to be a "1337 hacker" has defaced programming projects hosted by SourceForge.net

Web pages for the network utility Angry IP Scanner and other open-source software hosted by the online coding vault were altered by the infiltrator. The individual responsible claimed the websites were "hacked" using a "backdoor", and darkly warned he or she could have supposedly caused far worse damage.

Each vandalised site read:

This is a project whose homepage has been hacked with the SourceForge backdoor by a 1337 hacker! It is extremely lucky because this message is the only change I did. After I found this backdoor, I, being nice, added this message to some SourceForge-hosted sites to warn them, instead of maliciously dropping their tables.

Scary stuff, you'll no doubt agree.

The truth is rather mundane: in a blog post, SourceForge's operators said each affected project had files that could be accessed by anyone on the web (rw-r--r-- in Unix parlance) and that these documents contained usernames and passwords for editing the project. Thus, anyone who knew where to look on a project's website could find, use and expose these sensitive credentials.

The SourceForge staff explained:

Upon investigating we found that the affected projects had configuration files (which contained database usernames and passwords) that were world readable. In other words, anyone looking in the right place could get these usernames and passwords and have direct access to the database.

Someone claiming to the "1337 hacker" commented on the SourceForge blog: "After checking 850 projects, I've hacked 44, but you were lucky. I did this to notify the project owners so that they would fix the issue. "If other hackers did this, they might not have been so nice. They might plant malicious scripts or even just drop your data for fun."

Arguably, SourceForge should consider ensuring that no world-readable files are created by default. However, coders must carry a large part of the blame for not picking the right permissions.

SourceForge, which hosts more than 320,000 projects, explains how to set proper file permissions here. It also explains how to reset project database passwords. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.