The Apache Software Foundation last week was the victim of a serious network attack in which a number of its Web servers and other machines were compromised by attackers who were able to gain root privileges and jump from machine to machine. The incident was embarrassing and a serious problem for the foundation, but instead of making excuses and hiding behind the veil of confidentiality, Apache officials have published the gory details of the attack.
Not only did the foundation detail which machines were compromised, but it also discusses exactly what tactics the attackers used and how they were able to break into the Apache network in the first place.
Our initial running theory was correct–the server that hosted the apachecon.com (dv35.apachecon.com) website had been compromised. The machine was running CentOS, and we suspect they may have used the recent local root exploits patched in RHSA-2009-1222 to escalate their privileges on this machine. The attackers fully compromised this machine, including gaining root privileges, and destroyed most of the logs, making it difficult for us to confirm the details of everything that happened on the machine.
The attackers attempted unsuccessfully to use passwords from the compromised ApacheCon host to log on to our production webservers. Later, using the SSH Key of the backup account, they were able to access people.apache.org (minotaur.apache.org).
Even in the open-source world, this kind of detail in the report of an attack is incredibly rare. Most private and public companies are understandably reluctant to release anything close to this amount of data, even if they’re not prevented from doing so by some regulation. It’s not in the best interest of the company or its shareholders (if it has them) to release anything but the most basic information after a data breach or other attack. In fact, an attack like this in which no sensitive data was compromised likely would have elicited no response at all from a public company.
But the Apache Software Foundation obviously is in a far different position. As a not-for-profit corporation, the foundation can call its own shots. And in this case, the group chose to act in the best interests of the Internet community as a whole by airing its dirty laundry. Granted, the foundation will get some residual benefit from a large community of security experts analyzing its tactics and suggesting changes.
But most of the benefits will accrue to the wider Internet community in the form of rare forensic data on a major compromise. We need much more of this, but what Apache has done is a great start.