|
|
Log in / Subscribe / Register

Apache.org compromised

[Posted August 28, 2009 by corbet]

The Apache project has suffered a server compromise which took the site off the net for some hours. "To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines. While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided."
to post comments

Apache.org compromised

Posted Aug 28, 2009 21:15 UTC (Fri) by webmastir (guest, #59528) [Link] (1 responses)

heh. that's a lil surprising to say the least...

Apache.org compromised

Posted Aug 28, 2009 21:21 UTC (Fri) by webmastir (guest, #59528) [Link]

http://www.f-secure.com/weblog/archives/apacheh.png

Apache.org compromised

Posted Aug 30, 2009 22:47 UTC (Sun) by kotnik (subscriber, #57300) [Link] (1 responses)

Backdoor was exposed SSH backup account.

I guess, another reason not to have passwordless keys...

Apache.org compromised

Posted Sep 3, 2009 14:18 UTC (Thu) by DennisJ (guest, #14700) [Link]

With a password protected key, backups only happen when someone tells the backup server what the password is. Using the 'command=<command>' feature in authorized_keys would probably be better.

Apache.org compromised

Posted Aug 31, 2009 8:01 UTC (Mon) by elanthis (guest, #6227) [Link] (12 responses)

Bad PR though it may be, it could have been worse. At least it wasn't an exploited hole in Apache HTTPD.

Apache.org compromised

Posted Aug 31, 2009 9:19 UTC (Mon) by Trou.fr (subscriber, #26289) [Link] (11 responses)

why bad PR ? At least they did communicate rapidly about it. Not like RedHat / Fedora...

Apache.org compromised

Posted Aug 31, 2009 12:13 UTC (Mon) by lkundrak (subscriber, #43452) [Link] (9 responses)

Excuse me? Really, what's the difference here? Both Apache and Fedora took their systems down immediately and published details after audit was done. As a Fedora user and contributor I had an impression that infrastructure breach was communicated in most responsible possible manner to me. The amount of information that could be published at that time was probably limited legally so that it would not interfere with investigation.

Apache.org compromised

Posted Aug 31, 2009 13:20 UTC (Mon) by Trou.fr (subscriber, #26289) [Link] (8 responses)

Fedora details were not published before months : compromised in aug 2008, explanation in march 2009 : http://lwn.net/Articles/326170/

And, if I remember correctly, RedHat never issued a detailed account on their compromission.

Apache.org compromised

Posted Sep 3, 2009 13:36 UTC (Thu) by Trou.fr (subscriber, #26289) [Link] (7 responses)

Full investigation report, reasons, corrective mesures :

https://blogs.apache.org/infra/entry/apache_org_downtime_...

Apache.org compromised

Posted Sep 7, 2009 13:11 UTC (Mon) by trasz (guest, #45786) [Link] (6 responses)

So, moral of the story is, if you have servers running RHEL, you better keep your important data on ZFS on some other system?

Apache.org compromised

Posted Sep 7, 2009 15:15 UTC (Mon) by hppnq (guest, #14462) [Link] (5 responses)

No, it is: patch your system for known vulnerabilities. (Yes, any system.)

Apache.org compromised

Posted Sep 12, 2009 8:02 UTC (Sat) by trasz (guest, #45786) [Link] (4 responses)

Even if you patch vulnerability immediately after vendor releases the fix, there is still a time window when you're vulnerable, between vulnerability going public and the official version of fixed kernel released by RedHat. Also, patching systems takes time - you usually patch test systems first; production systems are patched after making sure it doesn't break anything in your setup.

So, most of the time, it's a good idea to just look for a system that has better track record than Microsoft Windows. And this, unfortunately, excludes Linux, where you have easily exploitable hole in the kernel every two or three months.

Apache.org compromised

Posted Sep 12, 2009 12:16 UTC (Sat) by nix (subscriber, #2304) [Link] (2 responses)

Look out: your bias really shows on the comments RSS feed: a dozen
comments in a few minutes, all slamming either the GPL or Linux itself. I
presume that you're trying to push one of the BSDs, which is odd, because
the original author of at least one has said that it's dying because it
loses developers to proprietary forks too often.

Apache.org compromised

Posted Sep 12, 2009 12:22 UTC (Sat) by trasz (guest, #45786) [Link] (1 responses)

Meanwhile, few dozens of other "authors" continue developing BSD systems exactly because their employers were able to create their own forks and invest significant R&D resources in enhancing them. Also, we are beginning to see similar trend in other projects - for example, couple of companies look forward to migrating from GCC to LLVM, due to unacceptable licensing restrictions of the former, either because they want to add their own code (Apple), or just have banned internal use of any GPL3 code (others).

Apache.org compromised

Posted Sep 12, 2009 12:33 UTC (Sat) by nix (subscriber, #2304) [Link]

Look up 'cherry-picking', 'cos that's what you're doing. Actually you're
cherry-picking with a total of one example (Apple).

Apache.org compromised

Posted Sep 12, 2009 16:24 UTC (Sat) by hppnq (guest, #14462) [Link]

Oh, but it's even a lot worse: even if you are able to restore from the disk in your vault and patch immediately with all your data carrying cables unplugged, you will still vulnerable. There is not a single system in the world that is going to keep you safe.

Where it matters, patching is an integral part of the daily routine. As is monitoring. Drooling over your favourite OS is not.

Apache.org compromised

Posted Sep 1, 2009 19:25 UTC (Tue) by jengelh (subscriber, #33263) [Link]

Or Microsoft...


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds