Friday morning August 28, a compromised SSH key enabled attackers to deploy a rootkit and upload files to one of the Apache Foundation servers, the files were then synch’ed to a production server.
A blog post from the Apache Foundation explained that attackers accessed an account at a hosting provider:
“To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines. While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided,” the staff wrote. “The attackers created several files in the directory containing files for www.apache.org, including several CGI scripts. These files were then rsynced to our production webservers by automated processes. At about 07:00 on August 28 2009 the attackers accessed these CGI scripts over HTTP, which spawned processes on our production web services”
Last year – we heard that SSH keys generated on certain versions of Debian and Ubuntu were considered compromised because of a highly predictable random number generator.
Considering that apache.org serves up the most popular Web server on the planet for both Windows and Linux – it’s a significant event, although being Open Source – it’s not an issue of confidentiality – but an issue of the software integrity – which is easy enough to ensure by reloading fresh copies from the SVN, of the files that were uploaded
First noted on F-Secure