Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To internet.com

Apache HTTPD Links
The Apache FAQ
Apache Module Registry
Apache Project
The Apache Software Foundation
PHP Server Side Scripting
The Java Apache Project
The Jakarta Project
Apache XML Project
ApacheCon
Apache-Perl Integration Project
Apache-Related Projects
The Linux Channel at internet.com
Apache Today
Linuxnewbie.org
Linux Planet
BSD Today
Linux Apps
All Linux Devices
Linux Today
BSD Central
Linux Start
PHPBuilder
Enterprise Linux Today
Linux Programming
Just Linux
Linux Central
SITE DESCRIPTIONS
Apache Software Foundation Server compromised, resecured.
May 31, 2001, 12 :38 UTC (1 Talkback[s]) (3377 reads)

[ Thanks to and Scott Courtney for this link. ]

From: Brian Behlendorf <brian@apache.org>
Subject: Apache Software Foundation Server compromised, resecured.
To: <announce@apache.org>
Date: Wed, 30 May 2001 23:05:59 -0700 (PDT)


Earlier this month, a public server of the Apache Software Foundation
(ASF) was illegally accessed by unknown crackers.  The intrusion into
this server, which handles the public mail lists, web services, and
the source code repositories of all ASF projects was quickly
discovered, and the server immediately taken offline.  Security
specialists and administrators determined the extent of the intrusion,
repaired the damage, and brought the server back into public service.

The public server that was affected by the incident serves as a source
code repository as well as the main distribution server for binary
release of ASF software.  There is no evidence that any source or binary
code was affected by the intrusion, and the integrity of all binary
versions of ASF software has been explicitly verified.  This includes
the industry-leading Apache web server.

Specifically: on May 17th, an Apache developer with a sourceforge.net
account logged into a shell account at SourceForge, and then logged
from there into his account at apache.org.  The ssh client at
SourceForge had been compromised to log outgoing names and passwords,
so the cracker was thus able get a shell on apache.org.  After
unsuccessfully attempting to get elevated privileges using an old
installation of Bugzilla on apache.org, the cracker used a weakness in
the ssh daemon (OpenSSH 2.2) to gain root privileges.  Once root, s/he
replaced our ssh client and server with versions designed to log names
and passwords.  When they did this replacement, the nightly automated
security audits caught the change, as well as a few other trojaned
executables the cracker had left behind.  Once we discovered the
compromise, we shut down ssh entirely, and through the serial console
performed an exhaustive audit of the system.  Once a fresh copy of the
operating system was installed, backdoors removed, and passwords
zeroed out, ssh and commit access was re-enabled.  After this, an
exhaustive audit of all Apache source code and binary distributions
was performed.

The ASF is working closely with other organizations as the investigation
continues,  specifically examining the link to other intrusion(s), such
as that at SourceForge (http://sourceforge.net/) [ and php.net
(http://www.php.net/). ]

Through an extra verification step available to the ASF, the integrity
of all source code repositories is being individually verified by
developers.  This is possible because ASF source code is distributed
under an open-source license, and the source code is publicly and freely
available.  Therefore, the ASF repositories are being compared against
the thousands of copies that have been distributed around the globe.
While it was quickly determined that the source code repositories on the
ASF server were untouched by the intruders, this extra verification step
provides additional assurance that no damage was done.

As of Tuesday, May 29, most of the repository has been checked, and as
expected, no problems have been found.  A list of verified modules
will be maintained, and is available here:
http://www.apache.org/info/hack-20010519.html

Because of the possible link of the ASF server intrusion to other
computer security incidents, the investigation is ongoing.  When
complete, the ASF will offer a complete and public report.

The Apache Software Foundation strongly condemns this illegal
intrusion, and is evaluating all options, including prosecution of the
individual(s) responsible to the fullest extent of the law.  Anyone
with pertinent information relating to this or other related events
should contact .  Anyone from the media with further
interest should contact .

Thanks.

        Brian Behlendorf
        President, Apache Software Foundation


Related Stories:
Slashdot: SourceForge Server Compromised(May 29, 2001)

  Current Newswire:
Netcraft Web Server Survey for December is available

O'Reilly: Apache Web-Serving with Mac OS X: Part 1

WDVL: Perl for Web Site Management: Part 3

Retro web application framework V1.1.0 release

Leveraging open standards such as Java, JSP, XML,J2EE, Expresso and Struts.

Netcraft Web Server Survey for November is available

FoxServ 2.0 Released

Ace's Hardware: Building a Better Webserver in the 21st Century

Web Techniques: Customer Number One

Apache-Frontpage RPM project updated

 Talkback(s) Name  Date
  Obligatory conspiracy theory
It seems someone is going to great lengths to make the point that "free software is insecure".

Anyway, I must get back to watching for black helicopters.   
  May 31, 2001, 16:45:47
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/