The recent rash of attacks against free and open source software projects continued this week with an attack that targeted SourceForge, the popular repository for open source projects. The attack compromised a number of separate systems, including the site’s CVS system.
The administrators at SourceForge detected the intrusion on Wednesday and during the investigation, they discovered that the attackers had succeeded in gaining access to several machines. After the attack was discovered, they quickly took a number of services offline, including the CVS system, Web-based code browsing, file upload capability and interactive shell services.
“Our immediate priorities are to prevent further exposure and ensure
data integrity. We have all hands on deck working on identifying the
exploit vector or vectors, eliminating them, and restoring the impacted
services,” the SourceForge staff wrote in a blog post on the attack.
“The problem was initially discovered on the servers that host CVS but
our analysis indicates that several other machines were involved, and
while we believe we’ve determined the extent of the attack, we are
verifying all of our other services and data.”
On Thursday, SourceForge staffers said that they still were in the process of trying to determine the full extent of the attack and that several service were offline still.
“CVS, ViewVC, file release uploads, and interactive shell services are
still disabled while we do the work to make sure our servers and
services are hardened against future attacks like this,” the staff said.
SourceForge is a resource site that enables developers to store projects under development and also serves as a download site for users.
The attack against SourceForge is the latest in what’s become a string of such incidents affecting free and open-source software projects. Earlier this week officials at the Fedora Project disclosed an attack against the project’s infrastructure. That incident was relatively minor, in that it resulted from the compromise of one user’s account credentials and the attacker didn’t make any changes to the Fedora packages.
In December attackers were able to compromise the main server used to distribute the ProFTPD software and insert a backdoor into the software code. The backdoored version of the software was mirrored to all of the other sites that distribute the software and the compromised version was available for download for several days before the intrusion was discovered.