1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues

Issues

Issue #1740 resolved

Blog seems to have been hacked?

Kevin Read
created an issue

I already wrote this to the google group, but as it might have a security impact I'll post again here.

blog.bitbucket.org seems to have been hacked. Look at the google cache page here: http://209.85.129.132/search?q=cache:TW4A27KmAVMJ:blog.bitbucket.org/+Its+software+licenses+through+coupon+description.+Most+new+Adobe+OnLocation+CS4&cd=1&hl=de&ct=clnk&gl=de (incidentially, this is also the first hit for the search term "Its software licenses through coupon description. Most new Adobe OnLocation CS4".

Somehow this SEO spam page is shown in my stock FF 3.5, Ubuntu 9.10. Chrome on the same system will display the blog front page.

I have dropped a stripped-down packet dump of visiting the page with both browsers at http://kevin-read.com/static/download/bitbucket.pcap

Please look into this immediately. If the blog was somehow hacked, this might have enabled access to other databases.

Best regards,

Kevin

Comments (3)

  1. Kevin Read reporter

    This is from "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8"

    Today, the page seems to be ok even in my browser. If I set my user-agent to "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" with the Tamper Date FF extension, I get the spam page again. Seems like a hack specifically targeted towards non-intrusive and hence nicely invisible SEO spam, only showing the spam page when the UA looks like a search engine.

    If you find the customized WP files, I would be highly interested in doing an analysis of the hack, if you can spare the time. A quick google search didn't show anything like that, it might be interesting to the security community.

    If you are looking for a nice django-based blogging engine, byteflow (http://byteflow.su/) has worked quite nicely for me (http://kevin-read.com runs byteflow). If you want to look into the admin interface, drop me a mail and I'll set up a guest account for you.

  2. Log in to comment