[Catalog-sig] bad package that's fishing bitbucket emails
mal at egenix.com
Thu Mar 29 13:36:31 CEST 2012
Robert Kern wrote:
> On 3/29/12 11:56 AM, M.-A. Lemburg wrote:
>> M.-A. Lemburg wrote:
>>> Michael Foord wrote:
>>>> Hello mt,
>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>> not to bitbucket, but to the code.thejeshgn.com:
>>> Needless to mention that the login info is sent in clear as well...
>>> I think we should inform Atlassian about this.
>> Looks like he cloned bitbucket for all his bitbucket repos:
>> and happily proxies requests through his site.
> Are we sure this is not just an instance of this supported feature of Bitbucket?
Oh dear, they even promote such use... what a poor security model :-(
You were right:
$ dig code.thejeshgn.com
; <<>> DiG 9.7.4-P1 <<>> code.thejeshgn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34768
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 2
;; QUESTION SECTION:
;code.thejeshgn.com. IN A
;; ANSWER SECTION:
code.thejeshgn.com. 3600 IN CNAME bitbucket.org.
bitbucket.org. 360 IN A 18.104.22.168
bitbucket.org. 360 IN A 22.214.171.124
Professional Python Services directly from the Source (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2012-04-03: Python Meeting Duesseldorf 5 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Catalog-SIG