The official website for the Apache Software Foundation was taken offline for several hours on Friday after being compromised by an SSH key.
Mikko Hypponen, CRO at F-Secure, claimed that ‘50 per cent of all web servers run Apache and Apache is distributed from apache.org', that was hacked. While it was offline it displayed a message that claimed that it was ‘currently investigating a potential compromise of one of our servers. For security reasons most apache.org services are therefore offline, but will be restored shortly'.
It later revealed that the ‘compromise was due to a compromised SSH key, not due to any software exploits in Apache itself'. Eleven minutes later it claimed that it had restored services on its European mirror machine, which was not compromised.
Hypponen said: “The site looks normal now. Why is this important? Because the Apache web server software is distributed from apache.org, and roughly one half of all the web servers on the planet run on Apache! We have no information on whether any code on the site was modified or not.”
Mary Landesman, senior security researcher at ScanSafe, claimed that the exposure of an SSH key was used to authenticate access to minotaur.apache.org.
Landesman said: “During the compromise period, attackers were able to upload several CGI scripts and populate those scripts across multiple apache.org servers. According to Apache, the attacks began at 18:00 UTC on August 27th and were detected at 07:45 UTC on August 28th. Apache shutdown the compromised servers as a result (some of which are now back online) and continues to investigate the occurrence.”
A report on the Apache blog claimed that at 6pm UTC on 27th August, an account used for automated backups for the ApacheCon website hosted on a third party hosting provider was used to upload files to minotaur.apache.org. The account was accessed using SSH key authentication from this host.
It said: “To the best of our knowledge at this time, no end-users were affected by this incident, and the attackers were not able to escalate their privileges on any machines. While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided.”
It also claimed that after investigation, it determined that the European fallover and backup machine, aurora.apache.org, was not affected. While some files had been copied to the machine by automated rsync processes, none of them were executed on the host, and it restored from a ZFS snapshot to a version of all its websites before any accounts were compromised.