Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Foundation Attacked, Passwords Stolen

Posted by CmdrTaco on from the yeah-we-meant-to-do-that dept.

Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."

4 of 214 comments (clear)

  1. Respect by Xacid · · Score: 5, Insightful

    Nothing but absolute respect for how Apache is handling this. Were there issues that became apparent as a result of this? Yes. But have they discovered the flaws, acknowledged them, and are looking to close those holes? Yes.

    It's a shame more companies can't operate with such...transparency I guess you'd call it. However, consumers respond differently to different types of companies.

    I, for one, am proud to see a company take this seriously instead of trying to sweep it under the rug.

  2. Re:Damage contained through one-time passwords. by HogGeek · · Score: 4, Insightful

    Hmm, let's see:

    Implanting a back door in any one (if not all) of the Apache products, so that when Citibank does an upgrade...

    Far fetched, yes. But not out of the realm of possibility...

  3. Re:Damage contained through one-time passwords. by jimicus · · Score: 3, Insightful

    I can think of a couple.

    It's a very prestigious target (if you're the sort that would do this for some sort of prestige). It's also a poster-child for a solid OSS product - what better way to spread FUD?

  4. Re:Damage contained through one-time passwords. by gad_zuki! · · Score: 3, Insightful

    Or upload a trojan into the hosted Apache installers.