The Apache Infrastructure Group has introduced an in depth analysis from the recent assault that led to multiple apache.org servers currently being compromised. After outlining the errors that produced the incident possible and their plan to reinforce security, the admins happen to be congratulated from the local community for their openness.
The total report printed around the Apache Foundation's blog starts by stressing that,
Office 2010 Professional X86, "At no time were any Apache Software Basis code repositories, downloads, or users put at risk by this intrusion," and explains that,
Microsoft Office Standard 2010 Key, "Providing an in depth account of what happened will make the internet a better place, by allowing others to learn from our problems."
It was confirmed that the point of entry for the attackers was the server hosting the Apache Conference website (apachecon.com), which was being maintained by a third-party company. The attackers gained root privileges on the machine, possibly by using a local privilege escalation exploit. There is few information available about how they got access,
itprofessionals, because they deleted the logs.
What's certain, though, is that they used the SSH key associated to an account the Apache Infrastructure Crew had on that server for backup purposes,
office professional plus, to jump to people.apache.org, the Foundation's "staging machine for our mirror network," as it is called in the report. The newly obtained access was used to write CGI scripts into the document root of your apache.org website, which then got propagated on all mirrors, due to automatic sync processes. These scripts were later executed by the attackers over HTTP in order to obtain remote shells.
The first thing that the Apache Infrastructure Staff criticize themselves for is the SSH keys implementation, which, according to their own account, left a lot to be desired. "We did not restrict SSH keys appropriately, and we were unaware of their misuse," they write. The second one is leaving ExecCGI enabled,
Windows 7 Product Key, even though most of their websites don't require it. Finally, the existing setup of the rsync and logging processes also contributed to the success from the attack.
The admins are in the process of making changes to address several of these difficulties. These involve, but are not limited to, requiring all users with elevated privileges to use OPIE for sudo on certain machines, recreating and using new SSH keys, one per host, for backups, while also enforcing use of your from="" and command="" strings in the authorized key file within the destination backup server, disabling CGI support on most website systems and re-implementing measures such as IP banning right after many failed logins, on all machines.
"What really impresses me, however, is how well Apache handled the potentially highly embarrassing incident – taking swift action and keeping their users informed via blog updates. […] So bravo to Apache for responding to the problem rapidly and with openness, proving it is achievable to turn a potentially bad story into a positive experience," Graham Cluley,
Office Standard 2010 X86, senior technology consultant at antivirus vendor Sophos, comments.
Follow the editor on Twitter @lconstantin
Admins Acknowledge Mistakes That Lead to Apache.or
Linear Mode
