The Apache Software Foundation (ASF), a group that assembled in 1999 to develop the Apache HTTP server and fuel open-source interests, made public Thursday that its server had been compromised by crackers. And with the revelation, the outfit professed why having an open-source model is advantageous in such serious situations.

The attack came from an unknown source May 17 and the server was taken offline right away so ASF administrators and security experts could deal with the situation. While not severe, the potential to cause damage was there as the server handles the public mail lists, Web services and most importantly, the source code repositories of all ASF projects.

ASF President Brian Behlendorf said "there is no evidence that any source or binary code was affected by the intrusion, and the integrity of all binary versions of ASF software has been explicitly verified," including the flagship Apache Web server.

Behlendorf and other experts were able to trace the cracker's steps to some degree. He said an Apache developer with a sourceforge.net account logged into a shell account at SourceForge, and then logged from there into his account at apache.org. The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker would have access to a shell on apache.org.

Upon failing to gain more privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he replaced the ssh client and server with versions designed to log names and passwords. Automated security audits caught the change, as well as a few other Trojaned executables the cracker had left behind.

At that point the organization shut down the server and performed a full audit, installed a fresh copy of the operating removed backdoors and negated passwords.

Behlendorf, who promised legal action where and if ever possible, stressed that ASF is working with other organizations to track the cracker, determine if additional comprises were made, and discern whether or not the ASF crack can be linked to previous intrusions at SourceForge and php.net.

ASF's leader also took the time to trumpet the advantages of open-source code models as opposed to the clenched-fist model employed by, well, Microsoft Corp.

"Through an extra verification step available to the ASF, the integrity of all source code repositories is being individually verified by developers," Behlendorf said in a public statement. "This is possible because ASF source code is distributed under an open-source license, and the source code is publicly and freely available. Therefore, the ASF repositories are being compared against the thousands of copies that have been distributed around the globe."

Behlendorf's suggestion is that the more developers that get a chance to verify the codes, the greater the chances are that additional information may be gleaned about the cracker and his or her methodology.

A list of verified modules will is available here. ASF asked that anyone with knowledge about the attack contact root@apache.org.