Data of linux.conf.au and PyCon Australia attendees exposed

Apr 6, 2015 08:11 GMT  ·  By

A server belonging to open source organization Linux Australia was compromised, and the intruders managed to gain the highest privilege level on the machine and install botnet command and control (C&C) software.

The administrators say that the attack occurred on March 22, when the Conference Management (Zookeepr) hosting server started to deliver a high volume of error reporting messages.

Server rebooted to load RAT in memory

Zookeepr server hosts the conference systems for events like linux.conf.au and PyCon Australia. It holds databases with personal information of conference participants, including names and contact details.

Two days later, an investigation aiming to discover the source of the emails revealed that the server had been under attack and the hacker triggered a remote buffer overflow condition, which allowed gaining root level access to the server.

The vulnerability exploited to achieve control over the machine is currently unknown, the administrators said on the Linux Australia mailing list.

“A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started,” said Joshua Hesketh, president of Linux Australia, on Saturday.

Purpose of the attack was not data harvesting, admins believe

For the duration of the breach, the hacker had access to full names, email and physical addresses, as well as phone numbers (if provided) and the hashed variant of user passwords of the participants to conferences organized by Linux Australia.

The administrators of the organization do not believe that this was a targeted attack aimed at harvesting the info available on the server.

An investigation was initiated to learn more about the attack and to come up with solutions that would eliminate such risks in the future.

Apart from cleaning the affected machine of the remote access tool and the botnet software, the team also checked the modification time of shell history files and verified them for retracing the steps of the hacker.

On the same note, the logs and the initialization scripts for the services were examined to determine the security hole leveraged to gain access to the server.

In an effort to ensure the integrity of the system, the compromised host is being decommissioned and the one replacing it will have stronger security in place.

The steps taken to achieve this goal include tighter restrictions for Internet-facing services, adopting key-based logins only, a better schedule for operating system updates, and an expiration date for system user accounts, set to three months after the end of a conference.

A copy of the logs will be sent to a central server equipped with a log analysis tool, to alert admins of suspicious activity. Furthermore, the conference database will be deleted from Zookeepr after being transferred to a different server.

Attendees of the linux.conf.au and PyCon Australia events are asked to change their password if the same one is used for accessing other online accounts. This includes those using Mozilla Persona for authentication.