-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/7/2014 12:44 PM, Carlos E. R. wrote:

On 2014-01-07 21:37, Michael Hamilton wrote:

...

I'm seeing 404 errors when attempting to reach http://forums.opensuse.org/

Same here.

But "forums.novell.com" seems up, but not responding either.

The nntp side is up and responding.

There was a LOT of flakey dns stuff going on yesterday. For a while here yesterday, even GOOGLE was unreachable. - -- _____________________________________ - ---This space for rent--- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAlLMaEMACgkQv7M3G5+2DLL5fwCglCEUm4b4hSFD9Q/xVys8ACnl fqEAnj7p07R6cCP/rS9OdmBT2RmjKni7 =XSxf -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Tue, 07 Jan 2014 15:26:52 -0800, John Andersen wrote:

...

There is a security breach.

[0] https://news.opensuse.org/2014/01/07/opensuse-forums-defaced/ [1] http://thehackernews.com/2014/01/openSUSE-Forum-Hacked-by-Pakistani- hacker.html#

From the 2nd link:

...

The Pakistani Hacker confirmed is that has uploaded a PHP shell on the forum server using his own Private vBulletin's zero-day exploit, that allows him to browse, read or write/overwrite any file on the Forum server without root privileges.

How embarrassing. I hate forums.

There's a lot of inaccuracy in the thehackernews.com article. Passwords *were not* compromised (nor were hashes) because we don't use the standard vBulletin authentication mechanism. It seems e-mails addresses were. The SEO plugin is where the exploit was, and as that's not maintained any more, it's been removed. The tech team is still working on adding additional hardening to the server. For those who use NNTP, that interface is unaffected and still running. Don't hate forums. Hate the hackers who think this is a fun thing to do, especially to an open source project. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Tuesday, January 07, 2014 04:33:52 PM John Andersen wrote:

On 1/7/2014 4:04 PM, Jim Henderson wrote:

...

Don't hate forums. Hate the hackers who think this is a fun thing to do, especially to an open source project.

Playing devils advocate, those guys serve a purpose too.

There are a bazillion users using vBulletin, but this particular hacker seems to go after precisely those users that should be better protected, and who should be running the most current versions with the best security.

In the mean time he appears not to bother with sewing boards or hobby boards.

I'm sure the forums will come back better than they were in the past, with fewer holes.

I wouldn't hate this hacker either because he is only pointing a security issue. So far, he is not making money or leaking the data to Internet to hurt anybody nor posting how to exploit the flaw or details to crack it. The good thing is we have a great security incident team taking care of it. Fast response shutting down the server and removing it to find the best way to fix it (hardenning). My 0.00001 cents -- Ricardo Chung | Member openSUSE Projects -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2014-01-08 01:04, Jim Henderson wrote:

Don't hate forums. Hate the hackers who think this is a fun thing to do, especially to an open source project.

Well, in this case it appears the hacker only wanted to prove that there was a vulnerability, in order to force vbulleting to update their software fast, no intention to use the obtained data. Or so he claims. -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/7/2014 4:53 PM, Carlos E. R. wrote:

On 2014-01-08 01:04, Jim Henderson wrote:

...

Don't hate forums. Hate the hackers who think this is a fun thing to do, especially to an open source project.

Well, in this case it appears the hacker only wanted to prove that there was a vulnerability, in order to force vbulleting to update their software fast, no intention to use the obtained data.

The article, which may not be accurate, says OpenSuse was not running the most current version of vBulletin. It might be fixed already in later versions. - -- _____________________________________ - ---This space for rent--- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAlLMphMACgkQv7M3G5+2DLKWdQCdHYnQwzbiSdu4gM5MQrO2OBKF XoQAnjR2Db2NBB7KFHn3pTotTKS3M++0 =x+sY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Wednesday, January 08, 2014 02:22:28 AM Carlos E. R. wrote:

On 2014-01-08 02:12, John Andersen wrote:

...

The article, which may not be accurate, says OpenSuse was not running the most current version of vBulletin. It might be fixed already in later versions.

Not in the updated version. Most probably developer will need to review the authetication and validation processes to move it away.

No, the page says: «Another important claim by the hacker that vBulletin 5.0.5 latest version is also vulnerable to his zero-day exploit and there is no patch yet available to fix it.»

That's right. Nor the last update or upgrade are able to fix it. The core flaw seems to be on vBulletin itself. Since that point of view. There is a bad path to validate admin user or weak path to handle authentication. So software will need better control points to work among layers before grant access. -- Ricardo Chung | Member openSUSE Projects -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 1/7/2014 5:52 PM, Jim Henderson wrote:

The exploit was in the vbseo addon, which was developed by a now defunct company and is no longer patched.

SEO as in Search Engine Optimization? Why would that be used on a non-sales related bulletin board? If Google can't crawl it, that's their problem. My SEO efforts amount to submitting a link to Google and calling it a day. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Wednesday, January 08, 2014 01:52:30 AM Jim Henderson wrote:

On Tue, 07 Jan 2014 17:12:51 -0800, John Andersen wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 1/7/2014 4:53 PM, Carlos E. R. wrote:

...

On 2014-01-08 01:04, Jim Henderson wrote:

...

Don't hate forums. Hate the hackers who think this is a fun thing to do, especially to an open source project.

Well, in this case it appears the hacker only wanted to prove that there was a vulnerability, in order to force vbulleting to update their software fast, no intention to use the obtained data.

The article, which may not be accurate, says OpenSuse was not running the most current version of vBulletin. It might be fixed already in later versions.

The exploit was in the vbseo addon, which was developed by a now defunct company and is no longer patched.

So I'm told.

Jim

It makes sense because vBSEO has been showing issues on several forums. Check the link for more info about vBSEO suspending operations http://admin-talk.com/threads/dear-vbulletin-forum-community-vbseo-is-suspen... -- Ricardo Chung | Member openSUSE Projects -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

El 07/01/14 23:59, Ricardo Chung escribió:

http://www.jaygadkar.com/2013/12/cross-site-scripting-xss-stored_24.html

nope, not that type of flaw. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2014-01-08 02:51, Jim Henderson wrote:

On Wed, 08 Jan 2014 01:53:40 +0100, Carlos E. R. wrote:

...

Or so he claims.

If he were, he'd have told vBulletin of the exploit. The exploit is described as a "private exploit," which to me says he's not disclosed it.

I'm not conversant with "cracker" parlance, but you are probably right in that. -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)

On Wed, 08 Jan 2014 00:57:46 -0300, Cristian Rodríguez wrote:

El 07/01/14 22:51, Jim Henderson escribió:

...

If he were, he'd have told vBulletin of the exploit. The exploit is described as a "private exploit," which to me says he's not disclosed it.

It really does not matter much, the attacker was able to go way too far in the first place. Yes..the vector is the forum software, why the payload ran without resistance all the way till gaining a shell as the apache user is the question that need answer on this side of the road.

Because that's the nature of having a public website. You're vulnerable to potential exploits in third party code.

The actual bug in this kind of PHP bulletin boards should be from trivial to moderately easy to find and fix. Since this is a commercial app, that's up to the vendor to figure out.

Sure, but it isn't necessarily just in PHP code, it could be in the interpreter as well. I've seen that happen. Security audits of code should happen (I agree), but this hacker took the approach of taking down an open source project's forums. If they wanted to get noticed, I can think of at least one set of forums that would be a better target and would get *immediate* attention. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Wed, 08 Jan 2014 20:49:53 +0100, Carlos E. R. wrote:

On Wednesday, 2014-01-08 at 01:51 -0000, Jim Henderson wrote:

...

On Wed, 08 Jan 2014 01:53:40 +0100, Carlos E. R. wrote:

...

...

Well, in this case it appears the hacker only wanted to prove that there was a vulnerability, in order to force vbulleting to update their software fast, no intention to use the obtained data.

Or so he claims.

If he were, he'd have told vBulletin of the exploit. The exploit is described as a "private exploit," which to me says he's not disclosed it.

Aparently, he did - or so says user "Matt" on the news thread comments (https://news.opensuse.org/2014/01/07/opensuse-forums-defaced/):

This exploit was posted in the licensed customer feedback forum at vBulletin.com. This is the reply from Joe D:

“At this time we are not aware of any known exploit and I am unsure how or why they believe the exploit is with the forum software.

I'm not sure I'm going to trust someone who defaces websites to be honest about their disclosure. There certainly was no reason to target the openSUSE forums to make a point to the forum vendor. But whatever his motivation, it's being dealt with. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2014-01-08 at 00:04 -0000, Jim Henderson wrote:

For those who use NNTP, that interface is unaffected and still running.

Well, no longer. It is down now as well (both instances). - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlLN3sEACgkQtTMYHG2NR9W8rgCePCCzQQ+wGBwevb+KRp7qAufE FXsAn0CuXsilRFIalha2ko4wx+8sWOE5 =pUVs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2014-01-09 01:21, Jim Henderson wrote:

On Thu, 09 Jan 2014 00:26:57 +0100, Carlos E. R. wrote:

...

On Wednesday, 2014-01-08 at 00:04 -0000, Jim Henderson wrote:

...

For those who use NNTP, that interface is unaffected and still running.

Well, no longer. It is down now as well (both instances).

Yes, apparently (though I haven't had confirmation yet) to help ensure that we don't end up with missing messages. The SUSE forums (and Novell/ NetIQ) were all down this afternoon (Utah time) for work being done.

nntp is back up again :-) -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)

On Thu 09 Jan 2014 10:57:47 AM CST, Peter Maffter wrote:

Carlos E. R. schrieb am 2:03 Donnerstag, 9.Januar 2014:

On 2014-01-09 01:21, Jim Henderson wrote:

...

...

On Thu, 09 Jan 2014 00:26:57 +0100, Carlos E. R. wrote:

...

On Wednesday, 2014-01-08 at 00:04 -0000, Jim Henderson wrote:

...

For those who use NNTP, that interface is unaffected and still running.

Well, no longer. It is down now as well (both instances).

Yes, apparently (though I haven't had confirmation yet) to help ensure that we don't end up with missing messages.  The SUSE forums (and Novell/ NetIQ) were all down this afternoon (Utah time) for work being done.

nntp is back up again :-)

Hello,

http://forums.opensuse.org/faq.php?faq=novfor#faq_nntp still gives

"Sorry, the page you are looking for is currently down for maintenance."

So what is the correct nntp server name?

BR Pete

Hi It's nntp.opensuse.org with your usenet client. -- Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890) openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.2 Kernel 3.11.6-4-desktop up 9:31, 3 users, load average: 0.00, 0.07, 0.09 CPU Intel® B840@1.9GHz | GPU Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

On 2014-01-09 13:20, Malcolm wrote:

...

On Thu 09 Jan 2014 10:57:47 AM CST, Peter Maffter wrote:

...

...

http://forums.opensuse.org/faq.php?faq=novfor#faq_nntp still gives

"Sorry, the page you are looking for is currently down for maintenance."

So what is the correct nntp server name?

...

It's nntp.opensuse.org with your usenet client.

And the recommended user name is the forum_login_name at no-mx.forums.opensuse.org. I see a post using @nomail instead.

Maybe he doesn't have a forum login name? I don't think I have one. -- Per Jessen, Zürich (4.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Thu, 09 Jan 2014 02:03:11 +0100, Carlos E. R. wrote:

On 2014-01-09 01:21, Jim Henderson wrote:

...

On Thu, 09 Jan 2014 00:26:57 +0100, Carlos E. R. wrote:

...

On Wednesday, 2014-01-08 at 00:04 -0000, Jim Henderson wrote:

...

For those who use NNTP, that interface is unaffected and still running.

Well, no longer. It is down now as well (both instances).

Yes, apparently (though I haven't had confirmation yet) to help ensure that we don't end up with missing messages. The SUSE forums (and Novell/ NetIQ) were all down this afternoon (Utah time) for work being done.

nntp is back up again :-)

Yep, I was mistaken - the others were down for a different reason yesterday. Totally unrelated to our issue. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2014-01-09 at 17:22 -0000, Jim Henderson wrote:

For those who are interested, the web interface is back online now.

Bravo! :-) - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlLO4hIACgkQtTMYHG2NR9V1kgCgjy8+o9srphtyICM0vCKlize4 QdYAn0BUQKidgybZhr8uo/dC725Ojla4 =S74D -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org