SourceForge, Apache hacker: Nothing personal

posted onJune 8, 2001
by hitbsecnews

The self-identified culprit behind last month's attacks on Apache.org and VA Linux's SourceForge and Themes.org
web sites says he has nothing against the open source community -- he just thinks computer cracking is too easy.

In an online IRC interview, the cracker known ominously as "Fluffy Bunny" characterized his attacks as a strike
against public disclosure of security holes. "i hack, dot slash or whatever you might want to call it, i do not write my
own exploits, i use other people's stuff, and no im not anti-open source, i am however anti-sec. i support the
anti-disclosure movement among the computer and network security communities," Bunny wrote.

Of Fluffy Bunny's recent victims, only VA Linux's Themes.org site is still down, closed for "technical problems." The
company says it cannot comment until an investigation is completed.

The Apache Software Foundation is more forthcoming with information, and has posted a Detailed account of the
Apache.org security breach.

According to the report, a Trojan horse implanted in SSH on SourgeForge resulted in the compromise of an Apache
developer's login ID and password, when he logged on from a SourceForge shell account on May 17th. That
evening, Apache.org administrators discovered during a routine file integrity check that their own SSH client and
server -- and other executables as well -- had been infected with Trojan horse code. The organization immediately
secured the site by restoring executables and clearing all existing passwords.

Administrators have since verified that none of the Apache source code was
compromised, though the foundation will not provide a full report until all investigations at
the sites involved are completed.

Pat McGovern, head of SourceForge security, admits the site was compromised, but he
told reporters that the break-in was discovered less than a week after it occurred.

Fluffy Bunny says that's wrong.

Sniffing Bunny
Shortly after McGovern's comments were reported, Themes.org, also a VA Linux site, was defaced by the cracker,
who used the hijacked site to take responsibility for the earlier break-ins, and to ridicule McGovern's claims. Fluffy
Bunny asserted that he had access to SourceForge, not for a week, but for over five months.

In the defacement, Fluffy Bunny also said he'd cracked Exodus Communications, an ISP, and Akamai, an Internet
content delivery service. Fluffy Bunny backed up his claims by providing what appear to be user IDs and passwords
from all the sites.

Asked about Fluffly Bunny's claims, Akamai responded with a vaguely worded statement: "Akamai was aware of a
document posted to a popular Web site discussing a compromise to Akamai's internal business systems.
Akamai's security team responded immediately to remove any vulnerabilities that this may have caused. At no time
were the Akamai content delivery network, Akamai's customers, or partners impacted in any way. The situation
was and is completely under control."

In Thursday's IRC interview, Fluffy Bunny confirmed that Akamai has secured its network.

The cracker also explained how all the recent compromises were related. The common link: a packet sniffer Fluffy
Bunny put in place on Exodus. "There was a sniffer on exodus yes, but there are sniffers everywhere," Bunny
wrote.

With the sniffer, Fluffy Bunny captured logon IDs and passwords for other sites, then installed Trojan horses at
each new site. Exodus declined to comment on Fluffy Bunny's claims.

Fluffy said that he did not write his own exploits, he merely took advantage of known bugs with existing exploit
code. The cracker said he works as a contractor in the field of security, and perhaps it is the ease of cracking so
many sites using nothing but published exploits that makes him support the "anti-disclosure movement."

Asked if he considered himself a White Hat or Black Hat, he replied that the term "grayhat" might be better, adding
that "no one can be truly a whitehat".

It should be noted that the IRC interview was arranged by following contact instructions left in the Themes.org
defacement, but that doesn't rule out the possibility of a Fluffy Bunny imposter.

Before he could be asked to provide a verifiable bit of unpublished knowledge of the recent cracks, Fluffy Bunny
suddenly had to leave. He missed an appointment to continue the interview an hour later. The IRC channel
contained a number of nicks familiar to those who have viewed his defacements: Apache, torn, and Danny-Boy, for
example. While proof of his identity remains elusive, none of the victims of his cracks are stepping up to refute his
claims.

SecurityFocus

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs