In association with heise online

28 August 2009, 11:34

SSH Key compromise takes offline - Update 2

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit offline message
Zoom's offline message
The web-site is currently displaying a message that the service is off line. The Infrastructure team at the Apache Software Foundation have taken the systems off line while investigating a compromise on one of their servers. According to the message, the problem relates to a compromised SSH key and "not due to any software exploits in Apache itself".

A later update says that services on the European mirror were not compromised and the team are in the process of switching DNS over to point to those systems saying "DNS should be shifting you over right about ... now ...".

Update - The site is now online again, but no further details of the compromise have been released.

Update 2 - Details of the results of initial investigations have now been published. The Apache administrators say "To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines. While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided".

An account used for automated backup used with a third party hosting provider and associated SSH key was used to access a Apache server used for seeding pages to production Apache servers. The attackers created CGI scripts on the server which were rsynced to some production servers. The attackers then connected to the scripts which started a number of processes. The infrastructure team spotted these processes and in turn the attack and the servers were taken offline ten minutes later by the administrators.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit