The Apache Software Foundation (ASF), a group that assembled in 1999 to
develop the Apache HTTP server and fuel open-source interests, made public
Thursday that its server had been compromised by crackers. And with the
revelation, the outfit professed why having an open-source model is
advantageous in such serious situations.
The attack came from an unknown source May 17 and the server was taken
offline right away so ASF administrators and security experts could deal
with the situation. While not severe, the potential to cause damage was
there as the server
handles the public mail lists, Web services and most importantly, the source
code repositories of all ASF projects.
ASF President Brian Behlendorf said “there is no evidence that any source or
binary code was affected by the intrusion, and the integrity of all binary
versions of ASF software has been explicitly verified,” including the
flagship Apache Web server.
Behlendorf and other experts were able to trace the cracker’s steps to some
degree. He said an Apache developer with a sourceforge.net account logged
into a shell account at SourceForge, and then logged from there into his
account at apache.org. The ssh client at SourceForge had been compromised to
log outgoing names and passwords, so the cracker would have access to a
shell on apache.org.
Upon failing to gain more privileges using an old installation of Bugzilla
on apache.org, the cracker used a weakness in
the ssh daemon (OpenSSH 2.2) to gain root privileges. Once root, s/he
replaced the ssh client and server with versions designed to log names and
passwords. Automated security audits caught the change, as well as a few
other Trojaned executables the cracker had left behind.
At that point the organization shut down the server and performed a full
audit, installed a fresh copy of the operating removed backdoors and negated
passwords.
Behlendorf, who promised legal action where and if ever possible, stressed
that ASF is working with other organizations to track the cracker, determine
if additional comprises were made, and discern whether or not the ASF crack
can be linked to previous intrusions at SourceForge and php.net.
ASF’s leader also took the time to trumpet the advantages of open-source
code models as opposed to the clenched-fist model employed by, well, Microsoft
Corp.
“Through an extra verification step available to the ASF, the integrity of
all source code repositories is being individually verified by developers,”
Behlendorf said in a public statement. “This is possible because ASF source
code is distributed
under an open-source license, and the source code is publicly and freely
available. Therefore, the ASF repositories are being compared against the
thousands of copies that have been distributed around the globe.”
Behlendorf’s suggestion is that the more developers that get a chance to
verify the codes, the greater the chances are that additional information
may be gleaned about the cracker and his or her methodology.
A list of verified modules will is available here. ASF asked
that
anyone with knowledge about the attack contact root@apache.org.