The Apache Infrastructure Team has released a detailed analysis of the recent attack that led to multiple apache.org servers being compromised. After outlining the mistakes that made the incident possible and their plan to strengthen security, the admins have been congratulated by the community for their openness.

The full report published on the Apache Foundation's blog starts by stressing that, "At no time were any Apache Software Foundation code repositories, downloads, or users put at risk by this intrusion," and explains that, "Providing a detailed account of what happened will make the internet a better place, by allowing others to learn from our mistakes."

It was confirmed that the point of entry for the attackers was the server hosting the Apache Conference website (apachecon.com), which was being maintained by a third-party company. The attackers gained root privileges on the machine, possibly by using a local privilege escalation exploit. There is few information available about how they got access, because they deleted the logs.

What's certain, though, is that they used the SSH key associated to an account the Apache Infrastructure Team had on that server for backup purposes, to jump to people.apache.org, the Foundation's "staging machine for our mirror network," as it is called in the report. The newly obtained access was used to write CGI scripts into the document root of the apache.org website, which then got propagated on all mirrors, due to automatic sync processes. These scripts were later executed by the attackers over HTTP in order to obtain remote shell...

Read the Original:
Admins Acknowledge Mistakes That Lead to Apache.org Hack

>