From mpogue@apache.org Sat May 6 00:48:19 2000 Return-Path: Mailing-List: contact general-help@xml.apache.org; run by ezmlm Delivered-To: mailing list general@xml.apache.org Received: (qmail 4596 invoked from network); 6 May 2000 00:48:19 -0000 Received: from mg02.austin.ibm.com (HELO mailgate2.austin.ibm.com) (192.35.232.12) by locus.apache.org with SMTP; 6 May 2000 00:48:19 -0000 Received: from netmail2.austin.ibm.com (netmail2.austin.ibm.com [9.53.250.97]) by mailgate2.austin.ibm.com (AIX4.3/8.9.3/8.9.3) with ESMTP id TAA23646 for ; Fri, 5 May 2000 19:49:28 -0500 Received: from popmail.austin.ibm.com (popmail.austin.ibm.com [9.53.247.178]) by netmail2.austin.ibm.com (8.8.5/8.8.5) with ESMTP id TAA69362 for ; Fri, 5 May 2000 19:48:18 -0500 Received: from apache.org (socks1.almaden.ibm.com [9.1.40.40]) by popmail.austin.ibm.com (AIX4.2/UCB 8.7/8.7-client1.01) with ESMTP id TAA21538 for ; Fri, 5 May 2000 19:48:16 -0500 (CDT) Message-ID: <39136C24.E41AA62F@apache.org> Date: Fri, 05 May 2000 17:49:40 -0700 From: Mike Pogue Organization: xml.apache.org X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: general@xml.apache.org Subject: Re: locus.apache.org hacked by white hats; FTP down for good, bugzilladown until audited. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N And, the story makes the news: Apache site defaced in "embarrassing" hacker attack http://yahoo.cnet.com/news/0-1003-200-1821155.html?pt.yfin.cat_fin.txt.ne Mike Brian Behlendorf wrote: > > Hi. We have been made aware (thanks to a very humorous banner ad for > Microsoft Back Office on the front of www.apache.org!) that our particular > configuration on www.apache.org of ftpd and bugzilla opened a security > hole that allowed someone from the outside to get a shell account, and > then get root. We have been in contact with those who found the hole, and > have closed up the misconfigurations that allowed this. > > It is important to note that this is *not* a hole in the Apache web server > or related software products. I would encourage double-checking the > PGP signatures of Apache releases for the immediate future. > > However, I do not believe we are out of the woods yet. Bugzilla has not > been thoroughly audited, and while I am not worried about ftpd, simply > having another deamon that can write files to the web server whose purpose > has been completely superceded by others suggests that taking it down for > good is the right idea. > > So I am taking down FTP - something that should have been done long ago. > If there are FTP links on any of our pages (or on places like freshmeat) > they should be change to HTTP. There are enough high-quality text-mode > HTTP clients that there is no point to having it up, save for mirroring, > and we allow rsync and cvsup for that. I will be contacting the mirror > site admins list to communicate this. > > Also, I have taken down all installations of bugzilla on apache.org until > it can be audited. I will be performing a first pass tonight over it, but > anyone else familiar with perl and willing to deal with rather ugly code > is welcome to do so as well. I will set it back up once I'm comfortable > there's been at least one reasonable pass over the whole codebase and any > obvious holes have been plugged. This is only life-support though; I > really don't think we should be using bugzilla once a suitable replacement > is found. > > Finally, I think it can be said that this compromise was mostly due to a > lack of discipline on the part of those who had root and set up services > without considering the ramifications of the way they were installed. I > don't want to point fingers, since I'm probably at least as to blame as > others, but I do feel that the policy of giving root access to a larger > number of people than usual was probably a mistake. Along those lines, > I've changed the root password and removed everyone from group wheel but > myself - sorry to be fascist about this but I kinda feel like at the end > of the day it's my responsibility. We'll come up with a strategy soon > about granting sudo access to particular people for particular binaries so > that I don't become a bottleneck again. > > The details will soon be posted to bugtraq. Thanks. > > Brian > > --------------------------------------------------------------------- > In case of troubles, e-mail: webmaster@xml.apache.org > To unsubscribe, e-mail: general-unsubscribe@xml.apache.org > For additional commands, e-mail: general-help@xml.apache.org