Slashdot Mirror

← Back to Stories (view on slashdot.org)

SourceForge Down After Attack [Updated]

Posted by timothy on from the their-bad-childhood-affects-you dept.

Animats writes "SourceForge, a hosting site for many open source projects, is down today. Management claims they were attacked: 'We detected a direct targeted attack that resulted in an exploit of several SourceForge.net servers, and have proactively shut down a handful of developer centric services to safeguard data and protect the majority of our services.' Currently, CVS and SVN access to source code, even for reading, is unavailable, and there is no announced restoration time." (SourceForge and Slashdot are both part of Geeknet, Inc.) Update: 01/27 22:17 GMT by T : Mark Ramm of SourceForge contributes an update and some clarification: the site is up, and SVN is available, though CVS isn't. There's also a follow-up post on the site's blog.

7 of 143 comments (clear)

  1. Why by Anrego · · Score: 2, Interesting

    What the hell did sourceforge ever do to anyone?

    I guess this could have been an attempt to spread some malware or something (by poisoning popular projects)?

    Off topic: how many people actually download directly from sourceforge any more. I have to imagine the majority of users (even before the mass ubuntu influx) get their stuff second hand through their favorite distro’s repository these days. I know I haven’t been there with any regularity since my `ol slackware days *tugs pants up past waist*.

  2. Aw, crap. by Nefarious+Wheel · · Score: 3, Interesting
    This has to be a moneyed interest.

    Whoever you are, out there, you're not a clever geek, you're just an asshole.

    --
    Do not mock my vision of impractical footwear
  3. Re:Qui bono? by Securityemo · · Score: 3, Interesting

    Because it's a high-profile site, and presumably staffed by people who know what they are doing? Eg., for the kicks?

    --
    Emotions! In your brain!
  4. Re:Attack by prononymous? by quanticle · · Score: 4, Interesting

    Well, if you wanted to sneak malicious code into an open-source project, cracking its repository might be a good way to do so.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  5. Password Database stolen? by Securityemo · · Score: 3, Interesting

    Since they took down SFTP access, presumably someone got their hands on passwords/the password database.

    --
    Emotions! In your brain!
  6. possible explanation by Anonymous Coward · · Score: 5, Interesting

    http://www.exploit-db.com/papers/15823/

    You would think that the authors of Ettercap, one of the most popular
    whitehat pentesting tools, would know the basics of security.
    Apparently they don't, or they just don't give a shit about what
    happens to their users.

    So, why is their website so insecure? Ettercap's message board is
    hosted at Sourceforge, so they share a server with thousands of other
    customers. Every single customer is able to execute commands and
    access the other project directories. Pretty stupid, eh? You only need
    to find one hole in one hosted site and you can access ALL the project
    databases. Of course that isn't ALoR's fault, it's Sourceforge's
    fault. Regardless, people who care about security and data integrity
    wouldn't use such a shitty provider, would they?

  7. Take note when people post exploits by Anonymous Coward · · Score: 5, Interesting

    This was posted on Full Disclosure 4 days ago. http://seclists.org/fulldisclosure/2011/Jan/424

    Seems they left the backdoor open even after being notified.