Home Home > 2014 > 01 > 16 > openSUSE Forums – back on-line
Sign up | Login

openSUSE Forums – back on-line

January 16th, 2014 by

OWN-oxygen-openSUSE-ForumsAs we reported last week, our public forums have been compromised and defaced. Passwords were safe but the cracker did manage to get access to the database with our forum posts as well as email addresses. Read on to find out what happened, what we did to prevent further damage and what we’re going to do in the future.

vBulletin hacked

openSUSE has used vBullentin forum software for a very long time. While we haven’t always been happy with it, the issues never prompted us to put in the (substantial!) time and effort required to move to another solution.

On January 7, 2014, we received word from The Hacker News that our public forums were compromised and defaced by a cracker exploiting a zero day flaw in the underlying vBulletin forum software (vBulletin 4.2.1). A Pakistani cracker has claimed responsibility. According to The Hacker News, the cracker confirmed that he/she uploaded a PHP shell to the openSUSE Forum server using a private vBulletin’s zero-day exploit, that allows him/her to browse, read or overwrite any file on the Forum server without root privileges.

Damage?

The cracker claimed he had accessed almost 80.000 openSUSE Forum users’ passwords. However, openSUSE uses a Single Sign-on system (Access Manager from NetIQ) and the ‘passwords’ the hacker obtained were random strings. The cracker did however get access to the forum database which also contains the email addresses of our users.

Forums down

As Matthew Ehle told infoworld.com, the openSUSE admin team believes the crackers’ claim that a zero-day exploit was used. The openSUSE Forums were one patch behind the current release but the change/release log of the latest patch does not indicate it would have prevented this attack.

Because the vulnerability in vBullentin did not have a fix available, we took our forums offline and started looking for a solution.

The forums are back!

The forums are back!

What now

As Matthew said, “VBulletin provides some highly functional software, which is of course why it is so popular”. But last summer, the same attacker also breached the openSUSE vBullentin software and Matthew has had “a number of concerns about the architecture and security” of vBullentin for a while. We are therefor going to look for an alternative.

In the mean time, of course, we will update the vBullentin software with the latest patch. But even small patches have been known to cause issues with themes, plugins and other things, so this will take time. vBulletin v4 is still supported so there’s no real reason to move to v5 soon.

Protecting the current set-up

But there are ways to protect the server even when we don’t trust some of the software on it. Since the attack in the summer, our sysadmins have locked down the file system and the folder used in the attack has now also been made read-only.

Thanks to this locking, the hacker was only was able to read and overwrite some of the files on the forums server without root privileges. We were using “paranoid” file permissions, which greatly restricted his access on the server and did not allow him to escalate privileges and take over the system. This unlike some recent high-profile vBullentin breaches which compromised the entire operating system.

Back online

Kim Groneman, taking care of our forums, noted: “Though we will probably never know exactly how the cracker was able to put a script file in our system, with the file system locked down, here’s a good probability that it can’t happen again. Also, because we use Access Manager, there never was any danger of the cracker gaining access to user passwords. They are and always have been secure.”

Based on that, the team felt confident that the forums could be put back online.

Future

The openSUSE sysadmins have the use of Apparmor or SELinux in their public policy. This is enforced on all new services, but the old ones (including the forums) have not all yet been updated. Obviously, priorities have been re-shuffled in this regard.

But in the long run, working around the security problems of proprietary software is not the ideal solution. The team is thus looking at other solutions. bbPress and PHPbb are on the top of the list and people experienced with these solutions (and especially migrating to them from vBullentin) would be very welcome. Another piece of work needed is to move the NNTP gateway script to whatever the new solution will be – a PHP developer could be a great help. The team is working on a list of features that are required (and nice to have) and suggestions for other solutions can be ran by this.

Both comments and pings are currently closed.

10 Responses to “openSUSE Forums – back on-line”

  1. Shaun

    Make a good .htaccess file (script, injecting, intrusion, xss) and chmod 444 to prevent any writing…

  2. Thanks for the heads-up!

    Is there a place where we could follow the discussions on the new forum choice?

  3. Jacob

    phpBB seems like the best bet here, because it is:
    1) Widely deployed.
    2) Deployed on forums that have at least 100x more traffic.
    3) Deployed on forums that are under constant attack, without being compromised. openSUSE forum I suspect does not have many real (non bot/automated) hack attemps because, well, I suspect openSUSE does not have many enemies (kind of hard for a Linux distro) while other forums definitely do.
    4) Still php based, so the same admins could theoretically administer phpBB or another php based solution. php is also most popular, so it should be easier to find help if needed.

    Maybe there are other good solutions and it’s good to see that a transition is being considered.

    If help is needed, ask SUSE (the company) to lend a hand in assigning a dev or two to help with the transition. I’m sure they could accomodate since openSUSE reflects SUSE the company and it would be strange if they did not have at least one php dev handy. If not, have them pay for someone to do the transition, because…

    Make the following case to SUSE (the company):
    SUSE itself has a forum that uses vBulletin, which has the same vulnerabilities as openSUSE forum (same software). By helping openSUSE with their forum transition, SUSE will have a testbed and a first-hand account of how to properly transition their own forum software if/when they decide to do so. Win-win for both sides.

    Please note that I am NOT affiliated with phpBB, php, openSUSE or SUSE and never was. I’m just a *very* satisfied openSUSE user and want what is best for the openSUSE community.

  4. Jacob

    Jos, if you would like me to give you references to #2 or #3 from my previous post, don’t resitate to email me. You (or rather the forum software) have my email :)

    Also, I would add a #5: I’m sure you can find recent case-studies of vBulletin to phpBB transitions which can be invaluable.

  5. muhwak

    Hi there,

    is it possible to get the information, what the filename of that PHP shell was and where exactly it was placed?
    Other vBulletin admins may appreciate this.

    Thanks a lot.

  6. Marcus Moeller

    We have once written a migration script from newbb to phpbb. Perhaps it might help, at least for inspiration:

    http://wiki.centos.org/WebsiteVer2/forums/newbb_to_phpbb

  7. Robert

    I really like this project: http://www.discourse.org/

    But I understand if this is not traditional enough. ;)

  8. Rupert Horstkötter

    Very happy to hear that you recovered from the attack. Also, I very much appreciate the openness and transparency in providing a statement to the community.

    As of phpBB: In retrospect, it seems to me, that you should have listened to Papa Smurf during the merging project ;) That said, I still vote for it!

  9. Great Work guys !
    Good to see my favorite learning resource online .