[Owasp-brazilian] Fwd: [WEB SECURITY] Apache.org Compromised via stolen SSH keys

Rodrigo Montoro(Sp0oKeR) spooker at gmail.com
Sun Aug 30 16:00:59 EDT 2009

---------- Forwarded message ----------
From: <robert at webappsec.org>
Date: Fri, Aug 28, 2009 at 2:19 PM
Subject: [WEB SECURITY] Apache.org Compromised via stolen SSH keys
To: websecurity at webappsec.org

The apache blog posted the following message indicating an SSH key

"This is a short overview of what happened on Friday August 28 2009 to the
apache.org services.  A more detailed post will come at a later time after
we complete the audit of all machines involved.

On August 27th, starting at about 18:00 UTC an account used for automated
backups for the ApacheCon website hosted on a 3rd party hosting provider was
used to upload files to minotaur.apache.org.  The account was accessed using
SSH key authentication from this host.

To the best of our knowledge at this time, no end users were affected by
this incident,  and the attackers were not able to escalate their privileges
on any machines.

While we have no evidence that downloads were affected, users are always
advised to check digital signatures where provided.

minotaur.apache.org runs FreeBSD 7-STABLE and is more widely known as
people.apache.org.  Minotaur serves as the seed host for most
apache.orgwebsites, in addition to providing shell accounts for all
Apache committers.

The attackers created several files in the directory containing files for
www.apache.org, including several CGI scripts.  These files were then
rsynced to our production webservers by automated processes.  At about 07:00
on August 28 2009 the attackers accessed these CGI scripts over HTTP, which
spawned processes on our production web services.

At about 07:45 UTC we noticed these rogue processes on eos.apache.org, the
Solaris 10 machine that normally serves our websites.

Within the next 10 minutes we decided to shutdown all machines involved as a

After an initial investigation we changed DNS for most apache.org services
to eris.apache.org, a machine not affected and provided a basic downtime

After investigation, we determined that our European fallover and backup
machine, aurora.apache.org, was not affected.   While the some files had
been copied to the machine by automated rsync processes, none of them were
executed on the host, and we restored from a ZFS snapshot to a version of
all our websites before any accounts were compromised.

At this time several machines remain offline, but most user facing websites
and services are now available.

We will provide more information as we can."

Apache Blog:
ZDNET: http://blogs.zdnet.com/security/?p=4147

- Robert

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

Rodrigo Montoro (Sp0oKeR)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-brazilian/attachments/20090830/52147ac7/attachment.html 

More information about the Owasp-brazilian mailing list