CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 14th, 2010

Apache.org Services Hit By Complex Attack, Server Breach Exposes Passwords

The Apache Software Foundation (ASF) announces that several of its services were targeted in a complex attack that led to a server being completely hacked and another partially compromised. A considerable number of possibly insecure password hashes have also been lifted from the organization’s systems.

The attack started on April 5 when someone created a fake error report in JIRA, a proprietary project management solution developed by a company called Atlassian and used by the ASF. The rogue entry contained a TinyURL-shortened link, which, if opened, exploited an undisclosed JIRA cross-site scripting (XSS) vulnerability to steal session cookies for logged in users.

“When this issue was opened against the Infrastructure team, several of our administrators clicked on the link. This compromised their sessions, including their JIRA administrator rights,” Philip Gollucci, the foundation’s vice president in charge of infrastructure, explained. He also noted that, at the same time, the JIRA login page was subjected to a brute force password guessing attack.

After obtaining a set of valid administrative credentials for the project management system, the attackers located a writable directory on the server and used it to execute malicious scripts. This allowed them to install a password logging component and capture additional JIRA logins.

“One of these passwords happened to be the same as the password to a local user account on brutus.apache.org, and this local user account had full sudo access. The attackers were thereby able to login to brutus.apache.org, and gain full root access to the machine. This machine hosted the Apache installs of JIRA, Confluence, and Bugzilla,” Mr. Gollucci said.

Furthermore, using cached SVN passwords found on the “rooted” server, the attackers managed to log into several limited shell accounts on minotaur.apache.org. This server, which is also known as people.apache.org, hosts accounts for all Apache developers and was the target of a different attack in August last year. Fortunately, the attackers did not manage to escalate the privileges on this machine as well.

Users of Apache Foundation’s JIRA, Bugzilla and Confluence (wiki) systems, all running on the compromised server, are advised that their passwords could be recovered from the stolen hashes. JIRA users in particular, who logged in between April 6 and April 9, should consider their passwords already compromised as they were logged via the login form.

Apache.org’s infrastructure team has already taken several steps to prevent similar attacks in the future and the response received from the community so far is overwhelmingly positive. The majority of users congratulate the organization for its openness when dealing with incidents such as this one.

Credit: Softpedia.com News

Share this item with others:

More on CyberInsecure:
  • Users Login Credentials Potentially Exposed In Science Journal Nature.com Breach
  • Kaspersky.com USA Hacked Through SQL-Injection, Breach Exposes Sensitive Database
  • Several SourceForge Servers Breached, All Passwords Are Being Reset
  • CitySights NY Website Breached, 110,000 Memebers Credit Card Details Stolen
  • Payment Processor RBS WorldPay Breach Exposes 1.5 Million

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Apache.org Services Hit By Complex Attack, Server Breach Exposes Passwords

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word