Re: Multiple .edu sites reportedly victims of db theft

[Ian McDonald <iam () ST-ANDREWS AC UK>]

The guys at another ac.uk think it may be linked to 'orsee'.

Anyone on the list that might confirm by inspecting their logs?

Thanks

Sent from my phone, please excuse brevity and/or misspelling.
________________________________
From: Greg Vickers<mailto:g.vickers () GRIFFITH EDU AU>
Sent: ‎03/‎02/‎2015 11:07
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Multiple .edu sites reportedly victims of db theft

Hi John,

Is there any other information about how or what is vulnerable, or what information was extracted?  More information 
will be required before any organisation could do a response and begin the investigation into how to remediate.

Greg

On 3/02/2015 7:51 PM, John Stauffacher wrote:
All,

I came across an individual a few days ago on twitter (@abdilo_) that was bragging about breaching multiple .edu's via 
sqli. He claimed responsibility for a breach of Metropolitan State University, and this afternoon dropped this partial 
list of .edu sites that he reportedly has breached and absconded with their databases:

http://pastebin.com/yyhT6tzc
uq.edu.au<http://uq.edu.au/>
columbia.edu<http://columbia.edu/>
usyd.edu.au<http://usyd.edu.au/>
upf.edu<http://upf.edu/>
vcu.edu<http://vcu.edu/>
williams.edu<http://williams.edu/>
monash.edu.au<http://monash.edu.au/>
uji.es<http://uji.es/>
hu-berlin.de<http://hu-berlin.de/>
exeter.ac.uk<http://exeter.ac.uk/>
mcmaster.ca<http://mcmaster.ca/>
ubc.ca<http://ubc.ca/>
waikato.ac.nz<http://waikato.ac.nz/>
uwa.edu.au<http://uwa.edu.au/>
ohio-state.edu<http://ohio-state.edu/>
handles.gu.se<http://handles.gu.se/>
iwm-kmrc.de<http://iwm-kmrc.de/>
purdue.edu<http://purdue.edu/>
lancs.ac.uk<http://lancs.ac.uk/>
uni-erlangen.de<http://uni-erlangen.de/>
luiss.it<http://luiss.it/>
unimib.it<http://unimib.it/>
purdue.edu<http://purdue.edu/>
univ-montp1.fr<http://univ-montp1.fr/>
uw.edu.pl<http://uw.edu.pl/>
pless.cz<http://pless.cz/>
inscripcions.org<http://inscripcions.org/>
uni-oldenburg.de<http://uni-oldenburg.de/>
141.89.97.231
idecisions.org<http://idecisions.org/>
uni-mannheim.e

If anyone on this list is a member of these organizations, or can reach out to them -- it is important that they know. 
From the communication that I have gotten from this person (all via twitter) this issue seems to be systemic in some 
piece of software shared amongst all these groups. If that is the case, then we are looking at a vendor related flaw -- 
and the potential targets is pretty large.

--

John Stauffacher
GPG Fingerprint: 5756 3A3B ADA3 22A6 9B26 6CA8 DB8D 2AC3 7699 0BD


--
Greg Vickers,
mobile: +61 410 434 734, desk: +61 7 3735 4847
Senior Project Manager, IT Infrastructure/Planning and Projects
Griffith University, Nathan campus, CRICOS 00233E