SourceForge Hacker: Nothing Personal
The self-identified culprit behind last month's attacks on Apache.org and VA Linux's SourceForge and Themes.org web sites says he has nothing against the open source community -- he just thinks computer cracking is too easy.
In an online IRC interview, the cracker known ominously as "Fluffy Bunny" characterized his attacks as a strike against public disclosure of security holes. "i hack, dot slash or whatever you might want to call it, i do not write my own exploits, i use other people's stuff, and no im not anti-open source, i am however anti-sec. i support the anti-disclosure movement among the computer and network security communities," Bunny wrote.
Of Fluffy Bunny's recent victims, only VA Linux's Themes.org site is still down, closed for "technical problems." The company says it cannot comment until an investigation is completed.
The Apache Software Foundation is more forthcoming with information, and has posted a
of the Apache.org security breach.
According to the report, a Trojan horse implanted in SSH on SourgeForge resulted in the compromise of an Apache developer's login ID and password, when he logged on from a SourceForge shell account on May 17th. That evening, Apache.org administrators discovered during a routine file integrity check that their own SSH client and server -- and other executables as well -- had been infected with Trojan horse code. The organization immediately secured the site by restoring executables and clearing all existing passwords.
Administrators have since verified that none of the Apache source code was compromised, though the foundation will not provide a full report until all investigations at the sites involved are completed.
Pat McGovern, head of SourceForge security, admits the site was compromised, but he told reporters that the break-in was discovered less than a week after it occurred.
Fluffy Bunny says that's wrong.
Shortly after McGovern's comments were reported, Themes.org, also a VA Linux site, was defaced by the cracker, who used the hijacked site to take responsibility for the earlier break-ins, and to ridicule McGovern's claims. Fluffy Bunny asserted that he had access to SourceForge, not for a week, but for over five months.
In the defacement, Fluffy Bunny also said he'd cracked Exodus Communications, an ISP, and Akamai, an Internet content delivery service. Fluffy Bunny backed up his claims by providing what appear to be user IDs and passwords from all the sites.
Asked about Fluffly Bunny's claims, Akamai responded with a vaguely worded statement: "Akamai was aware of a document posted to a popular Web site discussing a compromise to Akamai's internal business systems. Akamai's security team responded immediately to remove any vulnerabilities that this may have caused. At no time were the Akamai content delivery network, Akamai's customers, or partners impacted in any way. The situation was and is completely under control."
In Thursday's IRC interview, Fluffy Bunny confirmed that Akamai has secured its network.
The cracker also explained how all the recent compromises were related. The common link: a packet sniffer Fluffy Bunny put in place on Exodus. "There was a sniffer on exodus yes, but there are sniffers everywhere," Bunny wrote.
With the sniffer, Fluffy Bunny captured logon IDs and passwords for other sites, then installed Trojan horses at each new site. Exodus declined to comment on Fluffy Bunny's claims.
Fluffy said that he did not write his own exploits, he merely took advantage of known bugs with existing exploit code. The cracker said he works as a contractor in the field of security, and perhaps it is the ease of cracking so many sites using nothing but published exploits that makes him support the "anti-disclosure movement."
Asked if he considered himself a White Hat or Black Hat, he replied that the term "grayhat" might be better, adding that "no one can be truly a whitehat".
It should be noted that the IRC interview was arranged by following contact instructions left in the Themes.org defacement, but that doesn't rule out the possibility of a Fluffy Bunny imposter.
Before he could be asked to provide a verifiable bit of unpublished knowledge of the recent cracks, Fluffy Bunny suddenly had to leave. He missed an appointment to continue the interview an hour later. The IRC channel contained a number of nicks familiar to those who have viewed his defacements: Apache, torn, and Danny-Boy, for example. While proof of his identity remains elusive, none of the victims of his cracks are stepping up to refute his claims.
By Joe Barr