The self-identified culprit behind last month's attacks on Apache.org and
VA Linux's SourceForge and Themes.org web sites says he has nothing
against the open source community -- he just thinks computer cracking is
In an online IRC interview, the cracker known ominously as "Fluffy Bunny"
characterized his attacks as a strike against public disclosure of
security holes. "i hack, dot slash or whatever you might want to call it,
i do not write my own exploits, i use other people's stuff, and no im not
anti-open source, i am however anti-sec. i support the anti-disclosure
movement among the computer and network security communities," Bunny
Of Fluffy Bunny's recent victims, only VA Linux's Themes.org site is
still down, closed for "technical problems." The company says it cannot
comment until an investigation is completed.
The Apache Software Foundation is more forthcoming with information, and
has posted a
Detailed account of the Apache.org security breach.
According to the report, a Trojan horse implanted in SSH on SourgeForge
resulted in the compromise of an Apache developer's login ID and password,
when he logged on from a SourceForge shell account on May 17th. That
evening, Apache.org administrators discovered during a routine file
integrity check that their own SSH client and server -- and other
executables as well -- had been infected with Trojan horse code. The
organization immediately secured the site by restoring executables and
clearing all existing passwords.
Administrators have since verified that none of the Apache source code was
compromised, though the foundation will not provide a full report until
all investigations at the sites involved are completed.
Pat McGovern, head of SourceForge security, admits the site was
compromised, but he told reporters that the break-in was discovered less
than a week after it occurred.
Fluffy Bunny says that's wrong.
Shortly after McGovern's comments were reported, Themes.org, also a VA
Linux site, was defaced by the cracker, who used the hijacked site to
take responsibility for the earlier break-ins, and to ridicule McGovern's
claims. Fluffy Bunny asserted that he had access to SourceForge, not for a
week, but for over five months.
In the defacement, Fluffy Bunny also said he'd cracked Exodus
Communications, an ISP, and Akamai, an Internet content delivery service.
Fluffy Bunny backed up his claims by providing what appear to be user IDs
and passwords from all the sites.
Asked about Fluffly Bunny's claims, Akamai responded with a vaguely worded
statement: "Akamai was aware of a document posted to a popular Web site
discussing a compromise to Akamai's internal business systems. Akamai's
security team responded immediately to remove any vulnerabilities that
this may have caused. At no time were the Akamai content delivery
network, Akamai's customers, or partners impacted in any way. The
situation was and is completely under control."
In Thursday's IRC interview, Fluffy Bunny confirmed that Akamai has
secured its network.
The cracker also explained how all the recent compromises were related.
The common link: a packet sniffer Fluffy Bunny put in place on Exodus.
"There was a sniffer on exodus yes, but there are sniffers everywhere,"
With the sniffer, Fluffy Bunny captured logon IDs and passwords for other
sites, then installed Trojan horses at each new site. Exodus declined to
comment on Fluffy Bunny's claims.
Fluffy said that he did not write his own exploits, he merely took
advantage of known bugs with existing exploit code. The cracker said he
works as a contractor in the field of security, and perhaps it is the ease
of cracking so many sites using nothing but published exploits that makes
him support the "anti-disclosure movement."
Asked if he considered himself a White Hat or Black Hat, he replied that
the term "grayhat" might be better, adding that "no one can be truly a
It should be noted that the IRC interview was arranged by following
contact instructions left in the Themes.org defacement, but that doesn't
rule out the possibility of a Fluffy Bunny imposter.
Before he could be asked to provide a verifiable bit of unpublished
knowledge of the recent cracks, Fluffy Bunny suddenly had to leave. He
missed an appointment to continue the interview an hour later. The IRC
channel contained a number of nicks familiar to those who have viewed his
defacements: Apache, torn, and Danny-Boy, for example. While proof of
his identity remains elusive, none of the victims of his cracks are
stepping up to refute his claims. By Joe Barr