Slashdot Cracked via Slashcode Default Password Problem ------------------------------------------------------------------------ SUMMARY The well-known news site <http://www.slashdot.org> Slashdot has been cracked by two attackers who exploited the fact that slashcode uses a default password after installation. DETAILS Slashcode does not prompt for an administrative password during installation, and so if the administrator does not explicitly set a password, the default username / password pair remains God / Pete. This enables users to launch arbitrary code with the privileges of the web server. This attack was successfully launched against a freshly installed machine on Slashdot's local network. After penetrating the machine, the attackers compromised the Slashdot database, and left a message for the slashdot administrators. Workaround Check to see if you have accounts named God, author or author1 and that they are not using default passwords. You may also want to evaluate which accounts have seclev privileges to alter block data. Solution <http://slashcode.com/> Slashcode will be releasing a new version of the current main branch that will no longer have default admin password and will require you to manually add an admin user. This issue has been fixed in the development release of slashcode (AKA Bender). -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
