[opensuse] I take it people know about the hacking of the web page?
Looks like Iran Hackers have defaced opensuse.org Marcus -- Photos : www.flickr.com/photos/marcusc Blog : marcusbrain.blogspot.com `The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free, and good men die like dogs. There's also a negative side.' HST
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus Cooper escribió:
Looks like Iran Hackers have defaced opensuse.org
Marcus -- Photos : www.flickr.com/photos/marcusc Blog : marcusbrain.blogspot.com
`The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free, and good men die like dogs. There's also a negative side.' HST
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
Hi: I see... :-( No words - -- Chema Ollés Usuario Linux: #198057 Linux 2.6.13.2-2-smp #1 SMP Mon Sep 26 14:25:33 UTC 2005 i686 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDPw2u65SpD7GhbzoRAh8kAKDEZXQIpi7YLeCECRQW/XSEkrUWGACfRBQg bu5g68bzQbrv3RMA3N1200w= =Ve4V -----END PGP SIGNATURE-----
On 01/10/05, Chema Ollés <jmolles@vodafone.es> wrote:
Hi: I see... :-( No words
According to this (it's a archive of attacks) http://www.zone-h.org/defacements/filter/filter_defacer=IHS%20IRAN%20HACKERS... they appear to have hit quite a few Novell sites. A few minutes ago it said that opensuse.org was hosted on a Novell Netware server which struck me as a bit odd, but it's been changed now. Marcus -- Photos : www.flickr.com/photos/marcusc Blog : marcusbrain.blogspot.com `The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free, and good men die like dogs. There's also a negative side.' HST
On Sat, Oct 01, 2005 at 11:36:52PM +0100, Marcus Cooper wrote:
On 01/10/05, Chema Ollés <jmolles@vodafone.es> wrote:
Hi: I see... :-( No words
According to this (it's a archive of attacks) http://www.zone-h.org/defacements/filter/filter_defacer=IHS%20IRAN%20HACKERS... they appear to have hit quite a few Novell sites.
A few minutes ago it said that opensuse.org was hosted on a Novell Netware server which struck me as a bit odd, but it's been changed now.
Looking at the source, there is a picture that points to ihsteam.com. That is hosted in the US: houghi@penne : mx ihsteam.com Information on ihsteam.com with ns3.simorgh.co.uk. as primary nameserver: Primary and secondary nameservers : ns3.simorgh.co.uk. ns4.simorgh.co.uk. A record and CNAME: ihsteam.com. 14400 IN A 147.202.64.138 Record for www.ihsteam.com: www.ihsteam.com. 14400 IN CNAME ihsteam.com. ihsteam.com. 14400 IN A 147.202.64.138 MX record for ihsteam.com: ihsteam.com. 14400 IN MX 0 ihsteam.com. Known A records for ihsteam.com on ns3.simorgh.co.uk. ihsteam.com. 14400 IN A 147.202.64.138 ihsteam.com. 14400 IN A 147.202.64.138 ns3.simorgh.co.uk. 14400 IN A 147.202.64.138 ns4.simorgh.co.uk. 14400 IN A 147.202.64.139 Reversed for 147.202.64.138 and is in United States . Reversed for 147.202.64.139 and is in United States . houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
houghi wrote:
On Sat, Oct 01, 2005 at 11:36:52PM +0100, Marcus Cooper wrote:
On 01/10/05, Chema Ollés <jmolles@vodafone.es> wrote:
Hi: I see... :-( No words
According to this (it's a archive of attacks) http://www.zone-h.org/defacements/filter/filter_defacer=IHS%20IRAN%20HACKERS... they appear to have hit quite a few Novell sites.
A few minutes ago it said that opensuse.org was hosted on a Novell Netware server which struck me as a bit odd, but it's been changed now.
Looking at the source, there is a picture that points to ihsteam.com. That is hosted in the US: houghi@penne : mx ihsteam.com Information on ihsteam.com with ns3.simorgh.co.uk. as primary nameserver:
Primary and secondary nameservers : ns3.simorgh.co.uk. ns4.simorgh.co.uk.
A record and CNAME: ihsteam.com. 14400 IN A 147.202.64.138 Record for www.ihsteam.com: www.ihsteam.com. 14400 IN CNAME ihsteam.com. ihsteam.com. 14400 IN A 147.202.64.138
MX record for ihsteam.com: ihsteam.com. 14400 IN MX 0 ihsteam.com.
Known A records for ihsteam.com on ns3.simorgh.co.uk. ihsteam.com. 14400 IN A 147.202.64.138 ihsteam.com. 14400 IN A 147.202.64.138 ns3.simorgh.co.uk. 14400 IN A 147.202.64.138 ns4.simorgh.co.uk. 14400 IN A 147.202.64.139
Reversed for 147.202.64.138 and is in United States . Reversed for 147.202.64.139 and is in United States .
houghi
[City: Bay Shore, New York] These guys say that they want atomic power. Some countries do have, and can be useful for electricity, etc. But i hope if they have, they will use it that way; NOT like defacing wiki and opensuse and other, even if they feel it's their right. Because what is really needed on Earth is peace. Not just a matter of ideology, of artistic thought, or else. Just *a* matter of our own survival. (The first matters remain, though) Don't want to talk to this crappy thing anymore. Have nicers things to do like trying to understand why xmms (not using Amarok) "hangs" (not the process, the music!), goes to the beginning, and have other odd behaviour, while reading from a vfat disk. Maybe a question of codepage or iocharset. Nice week-end, Folks Patrick M.
Am Sonntag, 2. Oktober 2005 02:42 schrieb pmoellon:
houghi wrote:
On Sat, Oct 01, 2005 at 11:36:52PM +0100, Marcus Cooper wrote:
On 01/10/05, Chema Ollés <jmolles@vodafone.es> wrote: ... But i hope if they have, they will use it that way; NOT like defacing wiki and opensuse and other, even if they feel it's their right. Because what is really needed on Earth is peace.
Et terra in pacem.
Have nicers things to do like trying to understand why xmms (not using Amarok) "hangs" (not the process, the music!),
Hmm, tonight I tried Alpha1 (x86) on my laptop and xmms and amarok works great (self-compiled libxine) BTW: The konqueror shows a lot of information for mp3-files, but none for ogg-files. Am I missing some libs or is there no meta-info for ogg build-in?
goes to the beginning, and have other odd behaviour, while reading from a vfat disk.
vfat not yet tried, nfs-/smb-shares works.
Maybe a question of codepage or iocharset.
No, not for binary data like music. With the wrong codepage/iocharset the filenames get trashed. -- mdc
On Sun, Oct 02, 2005 at 12:29:02AM +0200, Chema Ollés wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Marcus Cooper escribió:
Looks like Iran Hackers have defaced opensuse.org
Marcus -- Photos : www.flickr.com/photos/marcusc Blog : marcusbrain.blogspot.com
`The music business is a cruel and shallow money trench, a long plastic hallway where thieves and pimps run free, and good men die like dogs. There's also a negative side.' HST
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
Hi: I see... :-( No words
Darn. It is just after midnight on a saturday night, so I hope they can solve this fast. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
Ohhh .. interesting ...opensuse targeted due to being an open project .. but Iran not being allowwed nuclear power ? houghi <houghi@houghi.org> wrote: Darn. It is just after midnight on a saturday night, so I hope they can solve this fast. houghi --------------------------------- How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos. Get Yahoo! Photos
Hi, On Sat, 1 Oct 2005, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org
Wow, indeed: http://www.opensuse.org/ IHS IRAN HACKERS SABOTAGE WAS HERE Atomic energy is our right even with threating us NO one can rule us not to use atomic power , it is our right and we ( all iranian people ) are united in this matter we are being industrialized and being industrialized means need for more energy and this energy should come from somewhere we want from iran government than quit NPT as soon as possible and close the UK embassy in iran where all of these problems come from Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)
On Sun, Oct 02, 2005 at 01:25:37AM +0200, Eberhard Moenkeberg wrote:
Hi,
On Sat, 1 Oct 2005, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org
Wow, indeed:
Anybody with phonenumbers for people who can be called? Either here or in the US or wherever? I already send an email to webmaster @ novell.com, opensuse.org and suse.de, but I am not sure these will be read. If you have a number and are unable to call, I can do it with skype. No real cost involved. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
Am Sonntag, 2. Oktober 2005 01:37 schrieb houghi:
On Sun, Oct 02, 2005 at 01:25:37AM +0200, Eberhard Moenkeberg wrote:
On Sat, 1 Oct 2005, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org Wow, indeed: ... If you have a number and are unable to call, I can do it with skype. No real cost involved.
Hi houghi, did you make skype for linux work over a proxy or direct? For me direct works, but using the same proxy and the same settings as in windows results in no connection. There is even no request send to my proxy. -- mdc
On Sun, Oct 02, 2005 at 04:09:09PM +0200, meister@netz00.com wrote:
If you have a number and are unable to call, I can do it with skype. No real cost involved.
Hi houghi,
did you make skype for linux work over a proxy or direct? For me direct works, but using the same proxy and the same settings as in windows results in no connection. There is even no request send to my proxy.
No proxy. Never used a proxy. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
On Sat, Oct 01, 2005 at 07:35:43PM -0400, Jorge Fábregas wrote:
On Saturday 01 October 2005 6:20 pm, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org
I can see it. It has been more than 30 minutes since since OP posted the msg. Where's the sysadmin?? :(
Seems they are working on it. I asume they first need to close the leak before they can put it back. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
Hi, On Sun, 2 Oct 2005, houghi wrote:
On Sat, Oct 01, 2005 at 07:35:43PM -0400, Jorge Fábregas wrote:
On Saturday 01 October 2005 6:20 pm, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org
I can see it. It has been more than 30 minutes since since OP posted the msg. Where's the sysadmin?? :(
Seems they are working on it. I asume they first need to close the leak before they can put it back.
Yes. Adrian has alarmed the people in Provo. Only the Wiki part of www.opensuse.org is located in Provo, everything else is in Nuernberg. So the distribution itself is not polluted. Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)
On Sunday 02 October 2005 02:16, Eberhard Moenkeberg wrote:
On Sun, 2 Oct 2005, houghi wrote:
On Sat, Oct 01, 2005 at 07:35:43PM -0400, Jorge Fábregas wrote:
On Saturday 01 October 2005 6:20 pm, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org
I can see it. It has been more than 30 minutes since since OP posted the msg. Where's the sysadmin?? :(
Seems they are working on it. I asume they first need to close the leak before they can put it back.
Yes. Adrian has alarmed the people in Provo. Only the Wiki part of www.opensuse.org is located in Provo, everything else is in Nuernberg. So the distribution itself is not polluted.
Yes, thank you all for your mails. And the others for calling me. Provo is already working on the problem. sorry for that adrian -- Adrian Schroeter SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany email: adrian@suse.de
On Sun, Oct 02, 2005 at 02:33:30AM +0200, Adrian Schroeter wrote:
Yes, thank you all for your mails. And the others for calling me.
Provo is already working on the problem.
sorry for that
Just shows you what happens if you don't do a YOU every day. ;-) houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
Am Sonntag, 2. Oktober 2005 01:35 schrieb Jorge Fábregas:
On Saturday 01 October 2005 6:20 pm, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org I can see it. It has been more than 30 minutes since since OP posted the msg. Where's the sysadmin?? :(
In the next bar, having a drink, it's saturday night ;-) -- mdc
Looks like Iran Hackers have defaced opensuse.org
For forge.novell.com and wiki.novell.com in fact, w.n.c hasn't been fixed yet. Mental note, when I give the CD set to some friends who want to try out Linux for the first time, suggest they wait a day or so before checking the website... -- James Ogley james@usr-local-bin.org Packages for SUSE: http://usr-local-bin.org/rpms Make Poverty History: http://makepovertyhistory.org
On Sun, Oct 02, 2005 at 07:45:42AM +0100, James Ogley wrote:
Mental note, when I give the CD set to some friends who want to try out Linux for the first time, suggest they wait a day or so before checking the website...
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
houghi wrote:
On Sun, Oct 02, 2005 at 07:45:42AM +0100, James Ogley wrote:
Mental note, when I give the CD set to some friends who want to try out Linux for the first time, suggest they wait a day or so before checking the website...
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
houghi
Are there any informations available on how the break-in happened? What module exactly was exploited? I think it would be essential to know so others can learn out of this case. Cheers, Dominique
On Sun, Oct 02, 2005 at 09:12:53AM +0200, Dominique Leuenberger wrote:
Are there any informations available on how the break-in happened? What module exactly was exploited? I think it would be essential to know so others can learn out of this case.
I asume that the main action is now solving the problem. Giving the solution will come after that. At this moment it is not, so we have to wait. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
Dominique Leuenberger wrote:
Are there any informations available on how the break-in happened? What module exactly was exploited? I think it would be essential to know so others can learn out of this case.
Cheers, Dominique
probably the script kiddies were using an exploit for an unpatched version of mediawiki or something ..
On Sunday 02 October 2005 09:12, Dominique Leuenberger wrote:
houghi wrote:
On Sun, Oct 02, 2005 at 07:45:42AM +0100, James Ogley wrote:
Mental note, when I give the CD set to some friends who want to try out Linux for the first time, suggest they wait a day or so before checking the website...
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
houghi
Are there any informations available on how the break-in happened? What module exactly was exploited? I think it would be essential to know so others can learn out of this case.
Only some vague information. But the images of the server will go to our security team, so we will know more exactly later. However, it was not the latest mediawiki version, which was running .... I heard that the server will be back with current mediawiki in about 3 hours (no guarantee). good morning :) bye adrian -- Adrian Schroeter SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany email: adrian@suse.de
On Sun, Oct 02, 2005 at 10:11:41AM +0200, Adrian Schroeter wrote:
I heard that the server will be back with current mediawiki in about 3 hours (no guarantee).
Is that a backup, or the real thing? If a backup, from when? It could be that people have done changes that were not on the backup. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
On Sunday 02 October 2005 10:20, houghi wrote:
On Sun, Oct 02, 2005 at 10:11:41AM +0200, Adrian Schroeter wrote:
I heard that the server will be back with current mediawiki in about 3 hours (no guarantee).
Is that a backup, or the real thing? If a backup, from when? It could be that people have done changes that were not on the backup.
The database is on a different system, which is not affected to my knowledge. So there will be no data loss, in worst case some invalid injections, which can get returned. However, we will know in more detail, when the forensic team and the security-team reviewed the images. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany email: adrian@suse.de
Am Sonntag, 2. Oktober 2005 09:12 schrieb Dominique Leuenberger:
houghi wrote:
On Sun, Oct 02, 2005 at 07:45:42AM +0100, James Ogley wrote:
Mental note, when I give the CD set to some friends who want to try out Linux for the first time, suggest they wait a day or so before checking the website...
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
houghi
Are there any informations available on how the break-in happened? What module exactly was exploited? I think it would be essential to know so others can learn out of this case.
Well, our build systems are way better protected than the wiki in the DMZ. If we didn't noticed during the beta, the chances are very low that we will notice it exact one day after release ;) bye adrian
On Sun, Oct 02, 2005 at 09:12:53AM +0200, Dominique Leuenberger wrote:
houghi wrote:
On Sun, Oct 02, 2005 at 07:45:42AM +0100, James Ogley wrote:
Mental note, when I give the CD set to some friends who want to try out Linux for the first time, suggest they wait a day or so before checking the website...
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
houghi
Are there any informations available on how the break-in happened? What module exactly was exploited? I think it would be essential to know so others can learn out of this case.
Please do not confuse defacement with a break in.
Cheers, Dominique
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
On Sunday 02 October 2005 09:01, houghi wrote:
On Sun, Oct 02, 2005 at 07:45:42AM +0100, James Ogley wrote:
Mental note, when I give the CD set to some friends who want to try out Linux for the first time, suggest they wait a day or so before checking the website...
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
The SL 10.0 release will not get delayed by this, because the ftp/rsync/... servers are complete independent from the wiki server. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany email: adrian@suse.de
On Sun, Oct 02, 2005 at 10:13:15AM +0200, Adrian Schroeter wrote:
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
The SL 10.0 release will not get delayed by this, because the ftp/rsync/... servers are complete independent from the wiki server.
I understand. I just was asuming that it was solved when 10.0 comes out. So there would be no reason to wait. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
It's an RC1 set sitting on my desk right now. Oh, and before I write an accompanying wiki entry on how to install the popular non-free plugins (flash/real/adobe) as well as mplayerplug-in (as soon as the PackMan crew do a 10.0 build of it), is there one already? I looked, but couldn't find it. Oh, I'll also be writing a little SuSEconfig module to setup those plugins for /opt/mozilla/lib/plugins and /opt/MozillaFirefox/lib/plugins - do I need to add another directory for Konq, or does it pick them up from Mozilla's location? -- James Ogley james@usr-local-bin.org Packages for SUSE: http://usr-local-bin.org/rpms Make Poverty History: http://makepovertyhistory.org
James Ogley <james@usr-local-bin.org> writes:
Why wait a day, I hope it is fixed it when SUSE 10.0 comes out.
It's an RC1 set sitting on my desk right now.
Oh, and before I write an accompanying wiki entry on how to install the popular non-free plugins (flash/real/adobe) as well as mplayerplug-in (as soon as the PackMan crew do a 10.0 build of it), is there one already? I looked, but couldn't find it.
flash/real/adobe will be available on ftp.suse.com as part of the extra tree...
[...]
Andreas -- Andreas Jaeger, aj@suse.de, http://www.suse.de/~aj SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
flash/real/adobe will be available on ftp.suse.com as part of the extra tree...
cool, will the extra tree be available as a YaST repo? (and what will the details be?) :) -- James Ogley james@usr-local-bin.org Packages for SUSE: http://usr-local-bin.org/rpms Make Poverty History: http://makepovertyhistory.org
James Ogley <james@usr-local-bin.org> writes:
flash/real/adobe will be available on ftp.suse.com as part of the extra tree...
cool, will the extra tree be available as a YaST repo?
yes.
(and what will the details be?) :)
Check the 10.1-Alpha1 tree on ftp.suse.com, Andreas -- Andreas Jaeger, aj@suse.de, http://www.suse.de/~aj SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
On Sat, Oct 01, 2005 at 11:20:40PM +0100, Marcus Cooper wrote:
Looks like Iran Hackers have defaced opensuse.org
It is on /. now. Would be nice if someone officialy could state something there. houghi -- Quote correct (NL) http://www.briachons.org/art/quote/ Zitiere richtig (DE) http://www.afaik.de/usenet/faq/zitieren Quote correctly (EN) http://www.netmeister.org/news/learn2quote.html
participants (15)
-
Adrian Schroeter -
Adrian Schröter
-
Allen -
Andreas Jaeger -
Chema Ollés -
Cristian Rodriguez -
Dominique Leuenberger -
Eberhard Moenkeberg -
houghi -
James Ogley -
Jorge Fábregas -
Marcus Cooper -
meister@netz00.com -
pmoellon -
Winston Graeme