Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Software

Project Hosting Service Fosshub Compromised, Embedding Malware Inside Hosted Files (softpedia.com) 57

At least some applications on Fosshub, a free project hosting service appear to have been compromised, according to several reports. (Update: Fosshub has acknowledged the hack.) The software portal, furthermore, is serving malware payloads, reports add. Catalin Cimpanu of Softpedia says that a hacking group which goes by the name of PeggleCrew is responsible for the hack. "In short, a network service with no authentication was exposed to the internet," the hacker told Softpedia in an email. "We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email." The hacker group told the publication that they have compromised the entire website, "including the administrator's email. He also revealed he didn't dump the site's database but claimed that "passwords weren't salted." A user on Reddit, who has since received lots of upvotes, adds: Some popular apps that have links to FossHub that may be infected include: Audacity, WinDirStat, qBittorrent, MKVToolNix, Spybot Search&Destroy, Calibre, SMPlayer, HWiNFO, MyPhoneExplorer, and IrfanView.Another application which has reportedly been compromised is Classic Shell. It is ostensibly overwriting the MBR on users' computers. Many users are upset with the timing of hack, noting that plenty of people were looking for Classic Shell amid the release of Windows 10 Anniversary Update. Update: 08/03 17:30 GMT by M :In a blog post, Audacity said that Fosshub was serving a hacked copy of its audio editing software for three hours. It adds that "no Audacity Team infrastructure was compromised." Fosshub team writes: Last night we had a security incident caused by a group of hackers that allowed them to log-in to FossHub developer *through* an user that was compromised. Shortly after, we noticed two users that were compromised. They simply logged-in using their passwords and this allowed them to escalate. [...] Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage. FossHub.com is down on purpose until we are able to identify the way hackers were able to escalate. Fosshub insists that the hacked copy of Classic Shell was only downloaded 300 times. In the meantime, if you know someone who may have downloaded the compromised copy of Classic Shell, here's what they need to do next.
This discussion has been archived. No new comments can be posted.

Project Hosting Service Fosshub Compromised, Embedding Malware Inside Hosted Files

Comments Filter:
  • by Snotnose ( 212196 ) on Wednesday August 03, 2016 @12:56PM (#52636815)
    I updated Classic Shell yesterday. How do I tell if my MBR got re-written, or other malware got installed?
    • make a rescue disk. Reboot. If you can, you're fine, if not use rescue disk to rebuild mbr

    • Classic Shell info (Score:4, Informative)

      by Futurepower(R) ( 558542 ) <MJennings.USA@NOT_any_of_THISgmail.com> on Wednesday August 03, 2016 @02:12PM (#52637505) Homepage
      This is a discussion of the temporarily infected Classic Shell installation file: W10 anniversary update, installed CS4.3, had to repair OS [classicshell.net].

      Clean: ClassicShellSetup_4_3_0.exe
      MD5: e10881b65c27c6e09e5a33cd8bcd99c6
      SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364
      File size: 7220496 bytes

      Infected: ClassicShellSetup_4_3_0.exe
      MD5: c67dff7c65792e6ea24aa748f34b9232
      SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
      File size: 7148732 bytes
    • Why don't you reboot the system and see? =)

      I have to say that as much as it sucks for those affected (which is not that much, since it's just the MBR), this virus is like a breath of fresh retro-air. Check out the message [twimg.com]

      Ahh, it's like being in 1998 again and getting your drive wiped by CIH. Those were the days.

  • by Anonymous Coward

    I don't know anything about malware hosted files... but I can tell you a lot about apk's malware infested host file.

  • by Nanoda ( 591299 ) on Wednesday August 03, 2016 @01:10PM (#52636941)

    I couldn't find any information on _when_ this was likely to have happened. I use 1/2 that list at home and the office, but haven't updated any in a few weeks at least, so I'd like to check that out.

  • by Anonymous Coward

    Ouch.

    That site was pretty thoroughly compromised. It's going to take ages to clean up this mess. If it was me, I don't think I could ever trust that site to host my files again.

    My only concerns now are: where source repositories compromised and is there any chance compromised applications will make it - or have made it - into, say, Debian or Fedora, or did the compromise just affect Windows installers (as the summary implies)?

"Kill the Wabbit, Kill the Wabbit, Kill the Wabbit!" -- Looney Tunes, "What's Opera Doc?" (1957, Chuck Jones)

Working...