SourceForge disables servers after being hacked

[DKT27]

Open source hosting service SourceForge.net is having to deal with a break-in: last Wednesday, the SourceForge staff disabled various source code management services, among them the CVS server that much project development depends on. SourceForge.net hosts more than 250,000 open source projects including such popular programs as the Audacity audio editor, the AbiWord word processor, the VLC Media Player and the 7-zip compression tool. At the time, the SourceForge team didn't provide any background information and simply stated that the CVS service would be temporarily unavailable for projects with specific first letters. More and more projects were affected as the day progressed, until the CVS server was eventually disabled altogether. The ViewVC code browser and the interactive shell also became unavailable.

It wasn't until Thursday evening that the SourceForge crew announced that the measures were taken because of a server break-in. SourceForge said "The problem was initially discovered on the servers that host CVS, but our analysis indicates that several other machines were involved".

At present, the SourceForge team is examining the exploit vectors, cleaning the servers and validating the sources of various projects against clean back-up versions to ensure that no arbitrary code has been injected. No specific details about the break-in have so far been released, but the team plans to provide further information in the next few days. It is not yet known when the SourceForge services will be fully restored.

The central source code management system used by popular open source projects is a particularly worthwhile target for attackers: If they manage to break into the server, they can install secret back doors. As any changes the attackers make are not submitted via the source code management system, the responsible code developers don't receive the usual notification – and, due to the abundance of code in many projects, it is very likely that the compromised code will go unnoticed and become part of the program's next official release.

An example of such an incident is the ProFTP project, where, in early December, unknown attackers broke into the server and installed a back door in the free ProFTP server. The developers only became aware of the intrusion when the compromised FTP server was already in circulation. Hosting numerous popular open source projects, SourceForge is a far more attractive target than an individual project's source code management system and is, therefore, under particularly heavy fire from attackers.

View: Original Article

[DKT27]

SourceForge falls victim to password hack; globally resets accounts

SourceForge, a giant in aiding open source software and bringing developers together, has been the target of an attack regarding their login system. The attack hit multiple areas of the site, and even after taking several precautions, SourceForge decided it would be best to simply do a global password reset.

SourceForge was quick to write up a full report of the incident on their blog, and also get the word out to their users via email. The open-source host believes it has stopped and removed the attack before it got too far. Server logs reveal that an SSH daemon had been modified to begin password-sniffing. It is unlikely that any developer passwords were compromised, but just to be safe instead of sorry they did a global password reset, explained in the email below:

We recently experienced a directed attack on SourceForge infrastructure (

http://sourceforge.n...orge-net-attack

) and so we are resetting all passwords in the sf.net database – just in case. We're emailing all sf.net registered account holders to let you know about this change to your account.

Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised. But, what we definitely don't want is to find out in two months that passwords were compromised and we didn't take action.

So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password.

The source of the attack is not known and the same with what exactly the reasons behind it were, other than potentially allowing a hacker to upload malicious versions of open source software. SourceForge is in the process of checking updates and locking down servers to prevent any unwanted surprises or another attack in the future.

Currently, they are working on data validation comparing pre-attack backups to files appearing on the site. Services will be brought back one by one and only when safety measures and data checks are in place to prevent unauthorized actions against developers.

View: Original Article