A story about a hacking incident - Agner - 2007-05-20
A story about a hacking incident - Agner - 2007-05-21| Begin New Subject | Flat View | Search | List | List Messageboards | Help |
| A story about a hacking incident |
|---|
| Author: Agner | Date: 2007-05-20 09:49 |
| A hacker has found a security hole in my messageboard software. This has led to a feeding frenzy of hackers trying to exploit my website. The logfiles show thousands of attempted attacks in just a few days. Some hackers just planted a message saying: Hacked by, and some evil name. Some have installed backdoors for other hackers to use. Some have destroyed the vulnerable files that other hackers used. And worst of all, some tried to use my website for a phishing scam.
The most alarming thing about this incident is that a security firm may inadvertently have helped the hackers. The hacker who found the security hole placed a short notice on an obscure hacker website on May 9. The next day, the security company Secunia published this information in several languages, including all details necessary to exploit the security hole. In fact, they published more details than the hacker website had. It is quite likely that this has attracted the attention of more hackers, although I cannot know for sure because the first attacks happened on May 9. I think it is irresponsible of Secunia to publish technical details about a security hole without informing the person responsible for closing the hole. I was not aware of the hole until May 13 when I got a mail from a hacking victim. When I asked Secunia why they hadn't informed me, they answered Note that the vulnerability was made available on a third party website, which is not affiliated in any way to Secunia.The fact that they encourage researchers to contact vendors prior to disclosure does not make sense when the researcher is a hacker with bad intentions. I will therefore maintain that their practice is irresponsible. Do they have an interest in increasing the amount of hacking activity in order to justify their own existense? Needless to say, I blocked all access to the vulnerable files immediately and started an investigation of what had happened. On May 19 I published a security update of my AForum software and informed all traceable users who had the same vulnerability. My sincere apologies to everybody who may have been affected by this. The security hole can only be exploited when register_globals is turned on in the PHP configuration file. All PHP manuals recommend to turn register_globals off, but unfortunately my web host does not follow the security recommendations. If you are using AForum software version 1.33 or earlier then please turn off register_globals or update to the newest version of AForum. This story also shows that there are thousands of hackers out there having nothing else to do than exploiting security holes that others have found. I wish these people would use their time and skills for something more productive. For example, contributing to the many open source software development projects. This would earn them much more of the fame and recognition that they apparently are longing for. Finding security holes is a good thing. Exploiting such holes for destructive purposes is a bad thing. | |
| Reply To This Message | Next Message |
| A story about a hacking incident - Agner - 2007-05-20 |
| A story about a hacking incident - Agner - 2007-05-21 |
| Begin New Subject | Flat View | Search | List | List Messageboards | Help |