Update on the SourceForge.net attack

File upload services

The shell servers used to provide this service were accessed illegitimately and have now been reloaded, with enhanced security controls.

File upload capability (SFTP, SCP, rsync over SSH) has been restored. Web based updates should work again immediately. SSH host keys have been updated and new fingerprints have been published to Site Docs and Site Status.

SSH host key fingerprints: http://sourceforge.net/apps/trac/sourceforge/wiki/SSH%20key%20fingerprints

User SSH key data

User SSH public key data was accessible during this attack. Users may wish to generate new SSH keys on a precautionary basis, though it is generally accepted that the exposure of public key data does not compromise the private key.

As a further precaution, we have processed all user SSH key data on file and have cleared SSH keys for users when we found anything extra data, e.g. private key data, or even junk text. Users whose keys were cleared will be notified by email and will need to generate and upload new keys.

SSH key generation instructions: http://sourceforge.net/apps/trac/sourceforge/wiki/SSH%20keys

File download services

Servers with write access to our file download data had been accessed illegitimately. As a precautionary measure we have done a complete reload of our master download mirror and controls around these servers have been enhanced.

We have identified modifications and uploads of files in the download service (File Release System) which occurred during the attack window by checking both timestamps and stored checksums. At this time we have no reason to believe any files were released or modified as part of this attack.

Projects with files added/modified during the attack window have been notified by email and while we believe these adds/changes are legitimate, we are asking these projects to double check our validation.

As a further precaution we are also in the midst of a full validation all downloadable files on all download mirrors. We have no reason to believe any tampering occurred with our download mirrors, and service will remain online as we complete our validation. Mirrors will be updated with new file releases on a server-by-server basis as we complete this validation work.

Other services

SCM data validation is in-progress. CVS service and ViewVC (web browsing of SCM) service remain offline pending completion of data validation activities.

Preparations to roll-out our updated project web offering are also in-progress. Interactive shell service is presently offline and will be restored in the same context as project web service restoration activities.

0 comments