On July 14, 2013 an attacker obtained the moderator account of Ubuntu discussion forums which had global privileges.  The privileges allowed the attacker to post an announcement and then notify 3 forum admins “to take a look at” the announcement page to “see its error.”  The announcement page most likely had an XSS attack which sent cookies to anyone viewing it that announcement.  

Additionally, the attacker added a hook, PHP code which will run when the page is loaded, to the admin control panel in vBulletin.  The hook then launches on any unsuspecting control panel user and runs in the background string commands an attacker loads into them.  One string in the hook was a rootkit to grab the user database (table.) The table included 1.82M users’ logins, email addresses and passwords.

On July 30th, 2013, James Troup posted a followup on the hacking of Ubuntu’s discussion forums aka CANONICAL describing their reponse:

Clean up

• We sent individual mails to all Forums users informing them of the breach and that they should consider their Forum password compromised. We advised them to change this password on any other systems where they may have re-used it.

• We backed up the servers running vBulletin, and then wiped them clean and rebuilt them from the ground up.

• We randomised all user passwords in the Forums.

• We reset all system and database passwords.

• We manually imported data into a fresh database after sanity checking each table.

Hardening

• We’ve removed the ability to modify or add new hooks except via root access to the database

• We’ve disabled all potential HTML posting avenues in the Forums for everyone but administrators.

• We’ve switched the Forums to use Ubuntu SSO for user authentication.

• We’ve implemented automated expiry of inactive moderator and administrator accounts.

• We’ve confined vBulletin with an AppArmor profile.

• We’ve reviewed and further hardened the firewalling around the Forums servers.

• We’ve reviewed and further hardened the PHP config on the server to close off some vectors used by the attacker.

• We’ve switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else

• We’ve improved escalation procedures for the Ubuntu Community members who graciously volunteer their time to administer and moderate the Forums.

• We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. The vBulletin support staff have been helpful and cooperative throughout this incident.

Finally, we’d like once again to apologize for the security breach, the data leak and downtime.