SourceForge disables servers after break-in
Open source hosting service SourceForge.net is having to deal with a break-in: last Wednesday, the SourceForge staff disabled various source code management services, among them the CVS server that much project development depends on. SourceForge.net hosts more than 250,000 open source projects including such popular programs as the Audacity audio editor, the AbiWord word processor, the VLC Media Player and the 7-zip compression tool.
At the time, the SourceForge team didn't provide any background information and simply stated that the CVS service would be temporarily unavailable for projects with specific first letters. More and more projects were affected as the day progressed, until the CVS server was eventually disabled altogether. The ViewVC code browser and the interactive shell also became unavailable.
It wasn't until Thursday evening that the SourceForge crew announced that the measures were taken because of a server break-in. SourceForge said "The problem was initially discovered on the servers that host CVS, but our analysis indicates that several other machines were involved".
At present, the SourceForge team is examining the exploit vectors, cleaning the servers and validating the sources of various projects against clean back-up versions to ensure that no arbitrary code has been injected. No specific details about the break-in have so far been released, but the team plans to provide further information in the next few days. It is not yet known when the SourceForge services will be fully restored.
The central source code management system used by popular open source projects is a particularly worthwhile target for attackers: If they manage to break into the server, they can install secret back doors. As any changes the attackers make are not submitted via the source code management system, the responsible code developers don't receive the usual notification – and, due to the abundance of code in many projects, it is very likely that the compromised code will go unnoticed and become part of the program's next official release.
An example of such an incident is the ProFTP project, where, in early December, unknown attackers broke into the server and installed a back door in the free ProFTP server. The developers only became aware of the intrusion when the compromised FTP server was already in circulation. Hosting numerous popular open source projects, SourceForge is a far more attractive target than an individual project's source code management system and is, therefore, under particularly heavy fire from attackers.
- SourceForge.net Attack, a SourceForge.net blog post.
- SourceForge.net Attack Update, a SourceForge.net blog post.