Feeds

'1337 hacker' scrawls all over careless coders' SourceForge sites

'If others did this, they might not have been so nice'

3 Big data security analytics techniques

Someone claiming to be a "1337 hacker" has defaced programming projects hosted by SourceForge.net

Web pages for the network utility Angry IP Scanner and other open-source software hosted by the online coding vault were altered by the infiltrator. The individual responsible claimed the websites were "hacked" using a "backdoor", and darkly warned he or she could have supposedly caused far worse damage.

Each vandalised site read:

This is a project whose homepage has been hacked with the SourceForge backdoor by a 1337 hacker! It is extremely lucky because this message is the only change I did. After I found this backdoor, I, being nice, added this message to some SourceForge-hosted sites to warn them, instead of maliciously dropping their tables.

Scary stuff, you'll no doubt agree.

The truth is rather mundane: in a blog post, SourceForge's operators said each affected project had files that could be accessed by anyone on the web (rw-r--r-- in Unix parlance) and that these documents contained usernames and passwords for editing the project. Thus, anyone who knew where to look on a project's website could find, use and expose these sensitive credentials.

The SourceForge staff explained:

Upon investigating we found that the affected projects had configuration files (which contained database usernames and passwords) that were world readable. In other words, anyone looking in the right place could get these usernames and passwords and have direct access to the database.

Someone claiming to the "1337 hacker" commented on the SourceForge blog: "After checking 850 projects, I've hacked 44, but you were lucky. I did this to notify the project owners so that they would fix the issue. "If other hackers did this, they might not have been so nice. They might plant malicious scripts or even just drop your data for fun."

Arguably, SourceForge should consider ensuring that no world-readable files are created by default. However, coders must carry a large part of the blame for not picking the right permissions.

SourceForge, which hosts more than 320,000 projects, explains how to set proper file permissions here. It also explains how to reset project database passwords. ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.