By Dan Goodin in San Francisco
3rd September 2009
Administrators at the Apache Software Foundation have pledged to
restrict the use of Secure Shell keys for accessing servers over their
network following a security breach on Monday that briefly forced the
closure the popular open-source website.
In an detailed postmortem describing how hackers penetrated several
heavily fortified machines, site admins identified their use of SSH keys
as one of the flaws that made the attack possible. They went on to lay
out concrete ways they plan to fix the problems, which also included
faulty procedures for backing up data and methods for providing
geographically localized servers for downloads.
"At no time were any Apache Software Foundation code repositories,
downloads, or users put at risk by this intrusion," they wrote here.
"However, we believe that providing a detailed account of what happened
will make the internet a better place, by allowing others to learn from
The hack started with the compromise of apachecon.com, a website that's
owned by the ApacheCon conference production company. Although logs
confirming the exact cause were destroyed, investigators suspect it was
the exploit of one or more local root vulnerabilities in the Linux
kernel for which Red Hat issued a patch seven days earlier but had not
yet been installed. They then used the SSH key for a backup account to
access the server that runs people.apache.org.
Subscribe to InfoSec News