Ubuntu forums are back online after the massive hack attack, which took place about two weeks back, with Canonical not only strengthening the security of its infrastructure but also detailing the deeds of the hacker.
Canonical has claimed that it was only the forums which were affected and neither its Ubuntu Linux distribution nor its other services – Ubuntu One or Launchpad were affected by the attack. Canonical has blamed the “combination of a compromised individual accounts and the configuration settings in vBulletin, the Forums application software” in a blog post wherein it has given out further details about the hack.
According to the autopsy, the attacker gained access to one of the moderator’s account using which announcement messages were posted on the forum along with private messages to three Ubuntu forum administrators stating that there were server error on the announcement page and that they should look into it. One of the administrator’s did look at the announcement page and before he could reply to the private message, the attacker disguised as the moderator was able to log in as the Forum administrator.
From the looks of the above autopsy, it seems that the attacker managed to exploit some XSS flaw in the script which gave away the administrator’s cookies and authentication data.
Canonical further added that once the attacker had administrative access to the Forums “they were able to add a hook through the administrator control panel.” Using these hooks, the attacker explored the environment and uploaded and installed “two widely available PHP shell kits.”
Canonical concludes that the attacker would have had full access to the Forum database – which would explain the download of ‘user’ table that contained details about users like usernames, salted and hashed MD5 passwords and email addresses of 1.82 million users.
Canonical has also described in detail the steps it has took to strengthen the security and to fend off future attacks.