Feeds

'1337 hacker' scrawls all over careless coders' SourceForge sites

'If others did this, they might not have been so nice'

Boost IT visibility and business value

Someone claiming to be a "1337 hacker" has defaced programming projects hosted by SourceForge.net

Web pages for the network utility Angry IP Scanner and other open-source software hosted by the online coding vault were altered by the infiltrator. The individual responsible claimed the websites were "hacked" using a "backdoor", and darkly warned he or she could have supposedly caused far worse damage.

Each vandalised site read:

This is a project whose homepage has been hacked with the SourceForge backdoor by a 1337 hacker! It is extremely lucky because this message is the only change I did. After I found this backdoor, I, being nice, added this message to some SourceForge-hosted sites to warn them, instead of maliciously dropping their tables.

Scary stuff, you'll no doubt agree.

The truth is rather mundane: in a blog post, SourceForge's operators said each affected project had files that could be accessed by anyone on the web (rw-r--r-- in Unix parlance) and that these documents contained usernames and passwords for editing the project. Thus, anyone who knew where to look on a project's website could find, use and expose these sensitive credentials.

The SourceForge staff explained:

Upon investigating we found that the affected projects had configuration files (which contained database usernames and passwords) that were world readable. In other words, anyone looking in the right place could get these usernames and passwords and have direct access to the database.

Someone claiming to the "1337 hacker" commented on the SourceForge blog: "After checking 850 projects, I've hacked 44, but you were lucky. I did this to notify the project owners so that they would fix the issue. "If other hackers did this, they might not have been so nice. They might plant malicious scripts or even just drop your data for fun."

Arguably, SourceForge should consider ensuring that no world-readable files are created by default. However, coders must carry a large part of the blame for not picking the right permissions.

SourceForge, which hosts more than 320,000 projects, explains how to set proper file permissions here. It also explains how to reset project database passwords. ®

The Essential Guide to IT Transformation

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.