learning from a grave mistake- the Apache.org attack

On April 13th, Apache announced that some of their servers were successfully compromised last week. They wrote a very detailed article about every step of the attack and what they did to avoid it again. This is a recap of that article and some of the responses in the community.

RIP to lite weight utilities to monitor your system.

FileMon and RegMon have now been retired from SysInternals.

Two issues I keep reading about a lot lately are that Snow Leopard's and IE8's malware detection. I wish people were making more of a deal about- WPA TKIP being broken.

In early 2000's a hacker that goes by the pseudonym "Rain Forest Puppy" (RFP) broke into the bulletin board system for the security advisory group PacketStorm. He got administrative rights and stole about 800 passwords. There is a lot that the Drupal community can learn from RFP's attack.

SA-2008-072
The storm project allows users with access to the storm project to enter data that has not been properly sanitized.

Versions Affected

• Drupal 5; anything prior to 5.x-1.14
• Drupal 6; anything prior to 6.x-1.18

SA-2008-073
There is a CSRF int the Drupal core which may allow someone to rerun old updates which will impact the database.
Also note that the robots.txt and .htaccess files have changed and need to be replaced with the new kernel.

The GPCODE.AK (also known as GPGCODE variation AK) holds the infected computers for ransom. It encrypts all the data files on a computer and tells the owner that they can get their files back with $100-$200.

It is an improvement on a virus that the AV industry has been fighting for years. Now instead of a flawed 660 bit key, they are using a much more secure 1,024 bit RSA key and no flaws have been found yet.

SA-2008-070 - COMMENT MAIL
There is a CSRF (cross-site-request-forgery) in Comment Mail for Drupal 5.x prior to 5.x-1.1 that allows end-users to administer permissions and ban IP addresses, deny a comment, or approve one.

In another blog entry, "VMware leaks and directory transversal", I got a comment that made me do some research. I came to the conclusion that the site was a rogue/fake spyware site and shouldn't be visited.

BTW; I'm not going to link there since it seems kind of hypocritical of me. After all, I am saying not to click links in comments so it is a good exercise to look the article up and go there yourself.

The program he mentions, spybot search and destroy (spybotSD), is a good one and has been on the scene for a long time.

October 2008 has not been a kind month for Drupal. In addition to a 3rd party module needing to be updated, there have been modules banned because of multiple vulnerabilities, many problems with people updating modules wrong in Drupal 6, and several problems with the core that requires the Drupal core to be updated itself.