快訊：Ubuntu官方論壇被黑，200萬用戶信息泄露

Ubuntu官方論壇Ubuntu Forums遭到攻擊者入侵，200多萬用戶數據（IP地址、用戶名和電子郵件地址）被竊取。負責Ubuntu開發的Canonical公司通過官方博客解釋了這一事件：7月14日20:33 UTC接到通知稱有人獲取了論壇資料庫拷貝，初步調查確認數據有泄露，因此作為預防措施立即關閉論壇。進一步調查發現，論壇使用的插件Forumrunner存在一個已知SQL注入漏洞沒有及時打上補丁。利用這個漏洞攻擊者下載了與用戶相關的資料庫，但不包括密碼。論壇使用的是Ubuntu單點登錄，資料庫儲存的密碼欄位是隨機字元串。

在Ubuntu中文論壇已經貼出相關通知

這次被黑的Ubuntu論壇是官方論壇，並非中文論壇。

關於Ubuntuhttp://baike.baidu.com/link?url=5FtFH8eWUpQuDvg99cOqj-QmGENhJkPFB2OGil5_8nP2A-e6g6OTXCm1tZ1sOTCR9tMFEpD636STQukbghoYg_

官方博客給出的事件經過如下

There has been a security breach on the Ubuntu Forums site. We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation. Corrective action has been taken, and full service of the Forums has been restored. In the interest of transparency, we』d like to share the details of the breach and what steps have been taken. We apologise for the breach and ensuing inconvenience.

What happened

At 20:33 UTC on 14th July 2016, Canonical』s IS team were notified by a member of the Ubuntu Forums Council that someone was claiming to have a copy of the Forums database.

After some initial investigation, we were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.

What the attacker could access

The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the 『user』 table.

They used this access to download portions of the 『user』 table which contained usernames, email addresses and IPs for 2 million users. No active passwords were accessed; the passwords stored in this table were random strings as the Ubuntu Forums rely on Ubuntu Single Sign On for logins. The attacker did download these random strings (which were hashed and salted).

What the attacker could not access

We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.

We know the attacker was NOT able to gain access to valid user passwords.

We believe the attacker was NOT able to escalate past remote SQL read access to the Forums database on the Forums database servers.

We believe the attacker was NOT able to gain remote SQL write access to the Forums database.

We believe the attacker was NOT able to gain shell access on any of the Forums app or database servers.

We believe the attacker did NOT gain any access at all to the Forums front end servers.

We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.

What we』ve done

Cleanup

• We backed up the servers running vBulletin, and then wiped them clean and rebuilt them from the ground up.
• We brought vBulletin up to the latest patch level.
• We reset all system and database passwords.

Hardening

• We』ve installed ModSecurity, a Web Application Firewall, to help prevent similar attacks in the future.
• We』ve improved our monitoring of vBulletin to ensure that security patches are applied promptly.
• 內容地址（http://insights.ubuntu.com/2016/07/15/notice-of-security-breach-on-ubuntu-forums/）

推薦閱讀：