Thursday, February 03, 2011

SourceForge Attacked

Received these two emails:

On Jan 28 2011:
Hello,

We recently experienced a directed attack on SourceForge infrastructure (http://sourceforge.net/blog/sourceforge-net-attack/) and so we are resetting all passwords in the sf.net database -- just in case. We're e-mailing all sf.net registered account holders to let you know about this change to your account.

Our investigation uncovered evidence of password sniffing attempts. We have no evidence to suggest that your password has been compromised. But, what we definitely don't want is to find out in 2 months that passwords were compromised and we didn't take action.

So, as a proactive measure we've invalidated your SourceForge.net account password. To access the site again, you'll need to go through the email recovery process and choose a shiny new password:

https://sourceforge.net/account/registration/recover.php

If you need help with this, feel free to e-mail us:

sfnet_ops@geek.net

We appreciate your patience with us as we work to respond to this attack. We'll be working through the weekend to get things back to normal as quickly as possible.

Watch for updates on the service outages on our blog:

http://sourceforge.net/blog/

Thank you,

The SourceForge Team


And Feb 1 2011:

Hello,

Please review this notice and contact us at sfnet_ops@geek.net with any concerns.

There was recently an attack on SourceForge systems as detailed here:
http://sourceforge.net/blog/sourceforge-attack-full-report

As a SourceForge user, you should already have received notice of our password reset event, also noted on the sourceforge.net login page.

As part of our response we examined account risks. User SSH key data may have been exposed during this incident. This is generally of limited concern since users post only the public key portion of their key pair.

In reviewing the SSH key data you uploaded for your account, we found one or more rows of data that did not appear to be a SSH public key. This could be junk text, private key data, or other data we can't programmatically identify.

As a precautionary measure have taken the step of clearing the SSH key data we have on file for your account. Please generate a new SSH key, login to sourceforge.net and upload a new public key. Instructions on SSH key generation may be found in our site docs at: http://sourceforge.net/apps/trac/sourceforge/wiki/SSH%20keys

If you have concerns or require assistance in generating/uploading a new SSH public key, please contact us at sfnet_ops@geek.net

Thank you,

SourceForge.net staff


And now the interesting bits from the full report:

Password invalidation

Our analysis uncovered (among other things) a hacked SSH daemon, which was modified to do password capture. We don’t have reason to the attacker was successful in collecting passwords. But, the presence of this daemon and server level access to one-way hashed, and encrypted, password data led us to take the precautionary measure of invalidating all SourceForge user account passwords. Users have been asked to recover account access by email.

No comments: