Home Home > 2014 > 01 > 07 > openSUSE forums defaced, user emails leaked
Sign up | Login

openSUSE forums defaced, user emails leaked

January 7th, 2014 by

Testing-Group-Logo As hackernews.com noted, the public openSUSE forums have been compromised and defaced. A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database.

Passwords: Safe! Emails: Not so much :-/

Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.

However, some user data is stored in the local database for convenience, in the case of the forum the user email addresses. Those the hackers had access too and we’re very sorry for this data leak!

And now?

As the exploit is in the forum software we use and there are no known fixes or workarounds we have decided to take the forums offline for now, until we have found a solution. Stay tuned for updates here, on twitter, facebook or g+.

Both comments and pings are currently closed.

41 Responses to “openSUSE forums defaced, user emails leaked”

  1. Well, that’s unfortunate. I have to say, though, that I never liked vBulletin, and I don’t get why it’s so popular, even within Linux-centric websites (where, even if for philosophical reasons, you’d expect to see phpBB (GPLv2) or Simple Machines (BSD) being used). I suppose vBulletin provides something for the single login integration, but I’d assume that the effort made for that plugin would have been the same as making it work with phpBB.

    • We’re not that happy either and are looking for an alternative. We were still on vBulletin for historical reasons – I believe it wasn’t even running on an (open)SUSE server…

    • Lee Hubbard

      Good day,

      I rang this morning at around 8:30am(GMT) to report that your forums are still vulnerable.

      I have left a contact number with one of your support staff but feel free to email me (provided in the mail bit) I will gladly point you to where the root cause of this hacking is.

      As of this moment the hackers have backdoored the site in multiple places, they can view/edit any file, they can access any database on this server and it needs to be repaired asap for your users sake.

      There’s a few tips I can point out which will help you protect your forums from further hacking’s also so hopefully one of your administrators contacts me.

      Proof this isn’t some troll? this is the database information for the forums (with passwords removed):
      http://i.imgur.com/bO9TxAc.png

      I have no intention to download your users information.

      Regards,

      Lee Hubbard

  2. Omar Macke

    Here is an opportunity for openSuse to show how much they are then any other distro. Complete disclosure even its embarrassing would be the best course of action. No vague PR speak like above, give details. For once, I would like to see more details from a company blog than a news site.
    ex: thehackernews dot com

  3. Chris

    I can’t be happier that I no longer run any sites that use vBulletin. It’s become complete garbage. I migrated the medium size gaming forum I work on from vB to XenForo shortly after the install script exploit surfaced.

    • Shawn McMahon

      I second the XenForo recommendation.

    • MatthewEhle

      Thank you both for your recommendations. As Jos mentioned, we are looking into some alternative software (preferably FOSS), and I’ll make sure to look at this.

  4. Kimmy

    One of the reasons why i dont have an account on the forum is because its vBulletin, its to messy and confuse most new users + it dosnt even feel like an forum.

    I am just a normal user who have switched from windows to linux not long time ago, who after have using different distros and switched back to windows came to like opensuse after one of my friends told me about it. Sadly enough i have never used the official forum when i needed help (the forum is to messy), instead i have asked my friend or asked on other forums which use different forum software.

  5. Opensuse forums provides an procedure that is complex and requires deep understanding such that it becomes easier for individuals to make use of this program.

  6. Jason Mlay

    Hat Tip to The Hacker News guys for informing Opensuse. I also am really impressed with Access Manager from NetIQ, Cool & must!

  7. Yeah

    But why was the forum running 6 month old software? Unpatched and ancient.

    I remember the great rift between the different SUSE forums back in the day and the fights that came up with using vB instead of Invision that other forums used. As usual, us long time users were ignored and a bunch of “we know better” kids took over and drove away all the old users with their attitude.

    Perhaps next time you’ll let people who actually have a history of running forums do things instead of a bunch of asshats that currently do it.

    • MatthewEhle

      VBulletin has a way of breaking plugins and themes even on minor patches, so even security updates can take a little while to implement. We were (and still are) in the process of getting to the latest patch.

      I wouldn’t describe the version that we are running as “ancient”. We were one patch level behind, and that doesn’t appear to be a factor in this particular exploit. However, I agree that we need to do a better job of keeping the software current. This one reason why I would like to look at alternatives that are easier to maintain.

  8. This exploit was posted in the licensed customer feedback forum at vBulletin.com. This is the reply from Joe D:

    “At this time we are not aware of any known exploit and I am unsure how or why they believe the exploit is with the forum software.

    As for the “Another interesting fact,,,” comment it is clear the writer is not very familiar with vBulletin software as any VB 4.x version that has the install directory removed is as safe as VB 4.2.2 or 5.x from the previous administrator account vulnerability.

    What is important is that people check their site for rouge plugins and files after they delete the /install/ directory and remove fake Administrators even if no damage was noticeable to their sites. Some people may have planted back-doors for future use.”

    OpenSUSE should really contact vBulletin to discuss a potential unknown exploit. vB won’t fix anything until they are fully aware of the issue.

    • Oh no, not pink plugins! We can’t have any of those! D:
      It’s pretty silly how many people make that grammar mistake.

    • MatthewEhle

      We are in contact with VBulletin now and are working on a deep dive of the issue. We only run VBulletin on our servers and only files within the VBulletin directory were altered. This attacker also has a history of finding new vulnerabilities in VBulletin software, so I believe the attacker’s claim to be valid.

      We removed the install directories out of VBulletin over 6 months ago, so this appears to be an issue that they have not yet seen.

  9. foo

    While you’ve done a great job in reducing the impact of the vulnerability, please try to find out the vulnerability being exploited as soon as possible, and report it to the vBulletin devs. If there happens to be an exploit in the wild for all current vB versions, this puts essentially any website running vBulletin at risk, many of them not using single sign on systems as you did.

    So, please check your access logs as soon as possible – if the server was not rooted, they’re probably still reliable – and try to find the requests that exploited the vulnerability.

    • MatthewEhle

      We are working with VBulletin on identifying the issue, and I hope that we will have something soon.

      There is no evidence of privilege escalation or any other OS level compromise, so I see this as being a positive highlight of SUSE and openSUSE security.

  10. Jacob

    Ubuntu forums were also hacked 6 months ago. It was big news. 1.82 million accounts compromised. They also used vBulletin.

    • JH

      And the Ubuntu forums break-in compromised salted passwords. The openSUSE forums’ hashed/salted passwords were not compromised because they’re not stored in the vBulletin database. The hashes aren’t accessible from the outside *at all* – the authentication mechanism that the openSUSE forums use (basically) sends a hash to the identity server and the server does the comparison and returns a true/false value.

      The password attributes are not extractable via (for example) LDAP. It’s like calling an LDAP Bind request, but with the hash being prevented from being sent on the wire.

      I’ve personally worked with the technology used for 20 years, and even with inside knowledge on how the tech works, it would take a fair amount of work to extract the hashes from the data store. The data store is not a traditional SQL database.

      • MatthewEhle

        Thank you for an excellent explanation of the product. I should add that we even have another layer in place via Access Manager. Even if the attacker tried to exploit the LDAP user store, there is no direct access to it from the forums server. It would require compromising two separate systems outside of VBulletin.

  11. John S Wolter

    I think any break-in is a criminal act. As I wander through this news different issue come to mind. Fixing the software then evaluate alternatives. It has to be assumed criminal break-ins are going to happen.

    What are the immediate post break-in responses necessary. I’d like to read some documents about that. I’ll search the web but maybe someone here has a well done citation in hand.

    I’m already encrypting important files and file systems Were the form password files and file systems well encrypted? It has to be expected files would be stolen in any break-in. I can see firewalls are not enough. If not then 15 or 100 character passwords will not make any difference.

    • I actually disagree – this was not a criminal act. The hacker did it to show us our forums are not secure, and successfully – we’re now looking for a better solution. An un-ethical person would’ve not said anything but stolen data silently and it could have taken days or even weeks for us to find out.

      So while this was embarrassing and unpleasant, in the end the hacker did us a favor. Thanks to Mr or Ms white-hat h@x0r :D

      • Marcus Waring

        “The hacker did it to show us our forums are not secure”

        What complete and utter rubbish!
        If that was their intent they would not have defaced the forums and would simply have contacted you privately about the vunerability.
        By making your statement you are condoning and encouraging cyber-vandalism, which is disgraceful.

        • John S Wolter

          Marcus,

          Thank you for your spot-on comment. I think it was a criminal act because it could affect people who may have needed information at a critical moment. A life saving moment if you will.

          Since emotional appeals to stop these acts will not make a difference, I’m improving my software development processes to include security for all devices. Hiding behind a firewall stop working ten years ago. The idea that every computer, all devices, defending themselves is now the only way to go.

          I was just at a public event about security for connected cars. It was instantly clear securing the infrastructure was going to be a real challenge. I can see LINUX playing a big role. There will be lots of jobs to create and support such a huge undertaking.

  12. People still hack forums??? Here, let me talk to the poor shlub…

    Dear Hakxz0rz who did this:

    ..What is this…… 1996!?…

    was it all a dream…?

    2000 – 2014…..never really happened at all?

    This was all a Patrick Duffy shower scene?? .

    I’m back in 1996…. arguing why Frank Black is one hundred times the man Fox Mulder will ever be?

    (true story …btw)

    …and all my script kiddie wanna-be friends like you have again scanned in this month’s edition of 2800 yet are typing away, because OCR still sucks in 1996 … but they want desperately to have the latest VB Script so they can crack forums and lol and rofl with the uber l33t using the the only code they actually know: CTRL+C / CRL+V

    All in a futile bid to impress girls they have never met because they have staked their 5 year delayed puberty on the certainty that there are computer nerds anywhere that look like Sandra Bullock or Angelina Jolie ….

    They do come later,btw…well… in my dream about the future beyond 1999 they did anyway….

    but only when six digit incomes are guaranteed if you had nice boobs (that are not ‘moobs’) and you can write a four line batch file that loops in a 50% opaque windowed console …

    No forum is secure…sure…and they never should have to be….. for the same reason there are no laser beams or ex marines guarding the sewage treatment plant…

    Because only a retarded opiate-addled-crack-hillbilly with a shoehorn stuck in his cleft pallet would be dumb enough to feel a sense of accomplishment from stealing untreated human sewage…or cracking a forum that was a prize only in the sense that it was the lowest fruit on the Suse Tree…

    It is up to the person who is this far out of date to adjust their own behaviors…it is they that that need to take some action…

    By which I mean:

    put the Napstered Smashmouth CD down ….take your snowboard, your Cingular Motorola Pager, and your almost guaranteed Mountain Dew 20 ounce botl…. grab your mother’s Cyan Metal Flake Geo Storm….drive it down to the Blockbuster Video …..go straight to the self help section next to the giant Ace Ventura promo poster….and rent VHS tape on getting a clue, which will likely be narrated by Montel Williams… ….

    Because only one thing got harmed here… but it was barely alive anyway…

    (and don’ think I don’t know you’re a Ubuntu user…it’s written all over you in the places spell check never squiggles….)

  13. well that’s not good. time to get ready for some spam then.

  14. The S.u.S.E website was hacked before when Novell U.S. purchased SuSE Linux, which then become SUSE Linux Enterprise NSA Desktop. The hack happened in 2005
    Mirror saved on: 2005-10-01 22:26:27 http://www.zone-h.org/mirror/id/2917402

    “Date: Tue, 4 Oct 2005 14:47:37 +0200
    From: Marcus Meissner XXXXXX @ suse.de>
    Message-ID:
    Subject: [suse-security-announce] Defacement of several Novell websites

    “Hi,

    As you probably know, several Novell hosted web sites got defaced by
    a vandal on the weekend.

    The vandalized hosts wiki.novell.com, opensuse.org, and forge.novell.com
    are actually virtual hosts living on one machine, making this one
    affected machine.

    The intruder gained access to the system by exploiting a known
    vulnerability in the “Xoops” blog software installed on another
    virtual host on this system (www.novell.com/prblogs/).

    This software was not upgraded to the latest security fixed version.

    The host affected is fully separate from our RPM and security fix
    delivery machines, so the integrity of our distributions and
    update repositories was not affected.

    Sincerely,
    Marcus Meissner, SUSE Security Team “

  15. hi

    only some questions

    why are you always in 4.2.1 version, the 4.2.2 was released in October ???

    why there is non htaccess on the admincp access, it was more secure i think ????

    regards

    jluce

    • MatthewEhle

      I agree that we should be quicker on getting to the latest patch. We have had a history of patches and upgrades breaking the forums, so we are trying to make sure that new patches are vetted before being put into production. Of course, that also introduces a risk, so it’s a bit of a catch-22.

      If it helps, it seems that being on the latest patch would not have prevented this exploit. We are working with VBulletin on the issue.

  16. gregopet

    I can recommend http://www.discourse.org/ as the VBulletin replacement (it’s open source, written in Ruby, and very much next gen.. created by Jeff Atwood, one of the founders of StackExchange). Sadly, there’s no direct vBulletin import tool, though (supposedly one can first import to phpBB and then into Discourse).

  17. Marcus

    I’m sure the 1334 people who hit opensuse on Distrowatch are crapping themselves!

    At least Microsoft, despite being targetted many times, care enough about their customers/users to employ people who are expert enough to know what they are doing.

    FOSS: you get what you pay for – NOTHING! lol

  18. Maybe a little bit late, but I like UNB [1] it’s OSS, not bloated and easy to use.

    [1] //newsboard.unclassified.de/

  19. It is extremely helpful for me. Thank you for taking the time to discuss this like openSUSE forums defaced, user emails leaked, I feel strongly about it and love learning more on this topic.keep it up

  20. Walter

    Some of these hacks are really easy. I watched a telco get hacked recently. It’s usually people that did things they are not supposed to that cause the problems. In the telco case someone noticed that their website was not PCIDSS compliant. What this means is in essence they are storing data they shouldn’t. That was step 1. Step 2 was a direct SQL injection attack on an unpatched server. IN that case the company hid the fact that they got compromised out of embarassment. This is really bad because 1 the thieves dont get reported and 2 the people compromised dont even know!!

  21. Walter

    Here’s a funny. All those people at Target covering the Pinpad so no gets their banking info?!