SourceForge Down After Attack [Updated]

Animats writes "SourceForge, a hosting site for many open source projects, is down today. Management claims they were attacked: 'We detected a direct targeted attack that resulted in an exploit of several SourceForge.net servers, and have proactively shut down a handful of developer centric services to safeguard data and protect the majority of our services.' Currently, CVS and SVN access to source code, even for reading, is unavailable, and there is no announced restoration time." (SourceForge and Slashdot are both part of Geeknet, Inc.) Update: 01/27 22:17 GMT by T : Mark Ramm of SourceForge contributes an update and some clarification: the site is up, and SVN is available, though CVS isn't. There's also a follow-up post on the site's blog.

Attack by prononymous?

[Toe,+The]

Now who would go and attack SourceForge? Microsoft? Oracle?

I just don't see why anyone would target an OSS repository.

Re:Attack by prononymous?

[quanticle]

Well, if you wanted to sneak malicious code into an open-source project, cracking its repository might be a good way to do so.

Re:Attack by prononymous?

[Securityemo]

It would be smarter to target the developer's box.

Re:Attack by prononymous?

[HeckRuler]

Heinous villainous scum that need to be dragged out into the street, beaten, tarred, feathered, and beaten again for good measure. That's who.

Re:Attack by prononymous?

[Nadaka]

You are romanticizing the Yakuza. They went after poor shopkeepers as much as the wealthy.

Re:Attack by prononymous?

[tverbeek]

Someone who really doesn't like the new Slashdot design?

Re:Attack by prononymous?

[f8l_0e]

I see your dragging, beating, tarring, feather, and beaten and raise you a draw and quartering.

Re:Attack by prononymous?

[Lanteran]

But what if you wanted to do it en masse- plus the fact that you get to target the code of the entire project all at once.

Re:Attack by prononymous?

[amicusNYCL]

Maybe the governments of Tunisia, Egypt, or Yemen, for example, object to these:

http://sourceforge.net/search/?q=proxy

Re:Attack by prononymous?

[insertwackynamehere]

You just don't get it. Everything in glorious Nippon is perfect! One day, I will travel there and they will embrace me for my love of their cartoons.

Baka gaijin.

Re:Attack by prononymous?

[History's+Coming+To]

LOIC was hosted on SourceForge. Five people were arrested in the UK today for (from the looks of it) using it. I'm not inferring anything, if I did it would be conspiracy theory...I'm just curious as to whether the events are unrelated?

Re:Attack by prononymous?

[PopeRatzo]

I just don't see why anyone would target an OSS repository.

The attack is probably blowback from the anger over the Slashdot design changes. Misguided, of course, but understandable? You tell me.

Re:Attack by prononymous?

[Jane_Dozey]

It's simple for the devs, now alerted to a potential compromise, to just branch the repo and do a quick diff between the last known good revision and the one on the server. I doubt a big public attack is going to compromise many projects and those it does manage to compromise are probably mismanaged anyway.

Re:Attack by prononymous?

[jellomizer]

So if Microsoft and Oracle got attacked we would all be laughing at them and making fun of their poor security. But if SourceForge got attack it is nothing but sympathy. Umm I want to know as an OpenSource Software user... How they were able to break in where was the hole. Should we be worried about our software as well.

Re:Attack by prononymous?

[Jane_Dozey]

Um...each developer will have a working copy on their local machine. This is most likely to be the last known good version. A quick diff will show up the changes that they've recently made and they can verify that the differences are valid. It's really not that complicated.

If someone wants to go through the trouble of hacking the version control to the point it can propagate to the developers machine, stop them from reverting changes that may have been pulled down just before the repositories were locked down, I'm pretty sure they'd be smart enough to break into sourceforge without making such a big mess and alerting everyone. We can go around with increasingly unlikely scenarios forever but the fact is, a quick check is all that's realistically required.

Re:Attack by prononymous?

[ebuck]

I see your dragging, beating, tarring, feather, beaten, draw and quartering, and raise you grinding, flavoring, and packing into casing.

Re:Attack by prononymous?

[MichaelSmith]

Checksum based integrity is a feature of modern DVCS systems such as mercurial and git.

Re:Attack by prononymous?

[eggled]

Sourceforge uses SVN & CVS, which are fully centralized. If git were being used, I'd agree. As it stands, they only have a working copy (and one prior revision), not the whole history.

What if the code injection were targeted at inserting history to "prove" that the project stole code from a commercial program in order to shut down/cast doubt on the open source project?

Re:Attack by prononymous?

[f8l_0e]

I fold. Well played sir.

Re:Attack by prononymous?

[Aerorae]

Doing it to everything is better because then it's significantly more difficult to tell what the real target is.

Re:Attack by prononymous?

[LandGator]

Mod up, kindly.

Re:Attack by prononymous?

[pclminion]

Shouldn't you always be worried about your software?

Re:Attack by prononymous?

[zero0ne]

shopkeepers that were owned by the big corporations. That way the big guys come out of hiding for the missing money, and a Jackie Chan movie begins.

Re:Attack by prononymous?

[ThatsNotPudding]

So the FBI is getting the band back together.

Re:Attack by prononymous?

[mapkinase]

They know the value of all the software on SourceForge and they wanted to steal it, pirate it, hack it, reverse engineer it and put it on tor... oh, wait.

Re:Attack by prononymous?

[pinkushun]

Right, I think anonymous is too busy with Egypt and other real world issues -- anonymous press release

This has clear ulterior motives. But a OSS repo, that's really low :/
Seems like an attack on our internet freedoms :/

Re:Attack by prononymous?

[tehcyder]

I just don't see why anyone would target an OSS repository.

As people love to parrot here, it's for the lulz, I imagine a lot of script kiddies would close down a hospital emergency ward if they could get away with it.

Re:Attack by prononymous?

[tehcyder]

Someone who really doesn't like the new Slashdot design?

That narrows it down to...oh, probably every fucking person who visits the site.

Re:Attack by prononymous?

[tverbeek]

So that rules out the vast majority of visitors: the not-fucking people.

Re:Attack by prononymous?

[Jane_Dozey]

I have a sourceforge project. All I did was pull down the repo to another location and run a diff on my working repo and the one I pulled down. There were no unexpected differences. I'm struggling to see why this is so hard to understand. It's simple to figure out if your project has changed in an unexpected way. It also easy to overwrite the repository on the sourceforge server with a clean one if you are suspicious.

Seriously, an attack this public will not catch out many projects. And I fail to see how someone would be able to "prove" that a project stole code when it's been made so public that SF was compromised. Just that fact would cast a huge amount of doubt over that sort of claim. Especially when one of the developers hands over an untainted version from their home machine for inspection.

Re:Attack by prononymous?

[eggled]

That's fine and all, if you're only concerned about the latest revision of the software. But then, why are you using a VCS? Your WC has no record of the (potentially thousands) of revisions on the server. If you're diffing more than one revision backward, you're asking the server for the info, and the server is no longer trustworthy.

Who cares about doubt around the allegations? Look at what happened to ReactOS when it was alleged they had stolen Microsoft code. Development all but stopped. OpenBSD took a hiatus to audit their security libs when it was alleged that there were backdoors included. And those were completely unsubstantiated (and untrue) claims.

We're not talking about wholesale project hijacking, and we're not talking about individual developers having consistent working copies. We're talking about project histories, user privileges, and reputations for all projects hosted on sourceforge. The site administrators must go through their due diligence, verifying every project against full backups that could not possibly have been affected in the attack.

It's fine that you don't understand why the checking is necessary, I'm certain a lot of people don't understand why you need to re-install from scratch after somebody has rooted your box. The fact remains that what's being done is necessary.

Hope they have checksums...

One hopes they have checksums when they come back up to make sure people have slipped shit in.

Re:Hope they have checksums...

[mlts]

Heck with checksums. PGP/gpg signed manifest files with SHA-512 hashes for every file stored, from source code tarballs to documentation, and the PGP/gpg keys signed by multiple trustworthy keys in a WOT. This way, dropping in a fake key on a keyserver, then some signed binaries would be found out almost immediately.

For RPMs, if they are not gpg signed by someone, there is a security lapse. Same with Windows .MSI files which don't have Authenticode signatures (although the Windows certificate for a private key does cost some cash, but at least a PGP/gpg signature should be provided.)

Re:Hope they have checksums...

[larry+bagina]

wouldn't be an issue if they were using git. Every commit, every object is stored by SHA-1 hash. Additionally, developers have their own copy of the entire project and can verify that there were no other changes.

Qui bono?

[SilverHatHacker]

What point is there to hitting SourceForge?

Re:Qui bono?

[Securityemo]

Because it's a high-profile site, and presumably staffed by people who know what they are doing? Eg., for the kicks?

Re:Qui bono?

[Sumbius]

What point is there to hitting SourceForge?

Someone clearly didn't like open source. I wonder who they were..

Re:Qui bono?

[McNihil]

Possibly a misdirection and general smoke and mirrors technique but I doubt it... Could be that they hit the wrong IP... network order error and it was 60.181.34.216 that is inside China that was the true target and not sourceforge.

Now with that IP one could glean some more info WHY an attack was necessary.... and so on.

Re:Qui bono?

[dave562]

That was my thought. Everyone talks about how OSS is so secure. If you had a bone to pick with that notion, why not go over one of the highest profile examples of OSS? I'm sure that they're running Apache, right? Probably MySQL too? Surely they aren't hosting their sight on IIS and powering it with Asp.Net, are they?

It would be great if situations like this brought the entire computer using community closer together. The reality is that no matter how epicly great your software might be, there are people out there looking to bring it down. It doesn't matter if you run Microsoft, Apple or OSS. There are bugs in your applications and there are incentives for finding and exploiting those bugs.

Re:Qui bono?

[Hatta]

To hide back doors in source code?

Re:Qui bono?

[dave562]

It isn't hyperbole when it is trotted out time and time again as one of the benefits of OSS. Stability and Security are two of the corner stones that OSS advocates build their arguments against "closed source" on top of. Some of the others are cost and portability of data.

To say that "nobody" has claimed that Apache is best ever is just as extreme of a statement as the original one I made about "everybody" talking about how secure OSS is.

Re:Qui bono?

[icebraining]

I think for some projects, Linus' Law does apply -at least, it makes sense- but it obviously doesn't mean any OSS code is perfectly secure nor even that the average OSS project is more secure than proprietary code.

But I don't see how a single attack on SF proves anything; you'd have to make a study across a statistically valid sample of projects to determine if, eliminated all other variables, OSS code has or nor a better track record.

Re:Qui bono?

[loxosceles]

A study using proper sampling wouldn't necessarily mean anything, either.

Software project A could have more vulnerabilities than project B. If attackers are more interested in B for some reason, maybe it's more popular or the sites running it are more interesting, B could have more "discovered" vulnerabilities.

A correct study would have to pay someone to do a thorough security audit of source code for n major open source and closed source software projects, which would be extremely expensive, and getting that many NDAs from major closed-source companies would be difficult.

Only a government or some large corporation could pay for that. I think I recall reading that simply doing a FIPS validation of openssl (or was it mozilla's nss?) would have cost around 1-2 million dollars if they hadn't been an open source project and had free help from various entities. And FIPS certification is a functional audit, not a security audit.

Re:Qui bono?

[tehcyder]

>> Everyone talks about how OSS is so secure

Hyperbole much? Who is this *everyone*? I have not seen any claims of "so secure"

Either you're very new here, or else you have somehow managed to avoid all the articles that ever mentioned Microsoft, Apple, Oracle or any other provider of proprietary software, which is generally on slashdot sneered at for providing poor security on principle.

Why

[Anrego]

What the hell did sourceforge ever do to anyone?

I guess this could have been an attempt to spread some malware or something (by poisoning popular projects)?

Off topic: how many people actually download directly from sourceforge any more. I have to imagine the majority of users (even before the mass ubuntu influx) get their stuff second hand through their favorite distro’s repository these days. I know I haven’t been there with any regularity since my `ol slackware days *tugs pants up past waist*.

Re:Why

[BJ_Covert_Action]

Could be some hot young group of crackers just wants to make a name for themselves.

Re:Why

[quanticle]

If you're using OSS software on Windows, SourceForge is the place to go. This fact lends support to my hypothesis that the attack was cover for injecting malware into open-source projects. Windows is malware's biggest target, and users are beginning to gravitate towards using open source tools over piracy (mainly due to fears of malware, ironically enough). With that in mind, I guess Sourceforge was a pretty big target for crackers.

Re:Why

[Alanbly]

Yes, but some of us are developing software and use the sourceforge repository. First and foremost, sourceforge is about development and creativity, not strictly software distribution.

Re:Why

[story645]

I build a lot of the libraries I use from source and use a lot of the dev versions, so I end up at sourceforge a decent amount of time. Actually, considering that two of the biggest python libraries are hosted on sourceforge (scipy/numpy) and I really need to update my local versions, this even kind of affects me.

Re:Why

[Charliemopps]

Because Sourceforge only hosts Linux software right?

Re:Why

[westlake]

What the hell did sourceforge ever do to anyone?

Sourceforge is root canal. The valley of the shadow.

The living dead.

FOSS is more than Linux -
and the bare repository of files is of no use to anyone unless you know what you are looking for.

Windows doesn't have a repository. What is does have is resources like Download.com. One-stop shopping for editorial reviews, tutorials, screenshots, demos and so on.

Re:Why

[Nimey]

Windows users will d/l their binaries directly.

Re:Why

[maxume]

They have a really crappy web interface for the mailing list archives that they host.

Re:Why

There is at least one very popular and highly rated piece of software on SF that distributes binaries bungled with spyware at the time of writing, this isn't related to the present event though.

Re:Why

[diamondsw]

I have to imagine the majority of users get their stuff second hand through their favorite distro's repository these days.

Yes, because everyone who uses SourceForge is on Linux. There is such a thing as open source Windows and Mac software you know.

Re:Why

[Securityemo]

Have the SF admins been notified of this? And this claim is based on manual binary dissection, not just it tripping AV "behaviour analysis"? And lastly, what are you up to if you're not telling which one?

Re:Why

[Anrego]

Of course.. but developers of software projects don't make a good target for malware injection.

Re:Why

Why would you say that without naming the software? Without that, you'll just be (rightfully) ignored.

Re:Why

http://en.wikipedia.org/wiki/PDFCreator#Inclusion_of_malware

Re:Why

[mug+funky]

it's the SCO inserting patented code for later legal action.

Re:Why

[Alanbly]

I was more responding to your off-topic comment as to who works directly with sourceforge. That would be everyone who works on open source projects hosted there. I don't think malware is a likely goal.

Re:Why

[wmbetts]

No it's based on OMG OMG OMG HOW THE FUCK DO THEY DARE TRY AND MAKE MONEY WITH A WAY I DON'T APPROVE OF.

It's talking about them bundling toolbars with their software. Every piece of software I've seen like that on source forge has always had an easy way to choose not to install them.

Re:Why

[drinkypoo]

Who ever went there with any regularity? I only go there when I must download something from them. And I have to say that I wish people would stop hosting projects there, because I have more problems with sourceforge failing to deliver me pages than any other major site.

Aw, crap.

[Nefarious+Wheel]

This has to be a moneyed interest.

Whoever you are, out there, you're not a clever geek, you're just an asshole.

Re:Aw, crap.

[Securityemo]

Maybe they are a clever geek asshole? Or even better, a group of clever geek assholes?

Re:Aw, crap.

[Abstrackt]

as opposed to other hacking instances?

I miss the good old days when hacking was considered a good thing. You know, when it meant doing more with less than the bare minimum or just screwing around with your own hardware to use it in unintended ways without pissing anybody off.

Re:Aw, crap.

[amicusNYCL]

This has to be a moneyed interest.

Why can't it be a government interest carpet-bombing the location of a single piece of software it finds offensive or illegal?

Re:Aw, crap.

[babywhiz]

They are really, really, dumb. For real.

Re:Aw, crap.

[westlake]

This has to be a moneyed interest.

Trust me on this.

Sourceforge has probably soured more users on open source than any other website on the planet.

     

Re:Aw, crap.

[Blakey+Rat]

No kidding. Maybe it's being "attacked' by a good Samaritan sick of dealing with SourceForge's particular brand of unusable crap.

Hey, maybe SourceForge will actually wake up, pay attention to the site, and *improve* it as a result of this!

Nah.

Re:Aw, crap.

[loxosceles]

Obviously we have a hacker at SourceForge, climbin' in your cvs, snatchin' your projects up, tryin' to infect them so y'all need to sign your commits, switch to git/hg, sign your commits, switch to git/hg, sign your commits, switch to git/hg... hide your binaries too, cuz they're infecting everything out here...

Pebble in a shoe?

[mapzta]

Can really free a portal for open-source software development be such a pebble in a shoe for someone? I can't think of none, *wink wink*, maybe someone who does not like stuff licensed under gpl, *nudge nudge*, oh noes... who can possibly believe in closedsource software as a future for the consumer out there? Oh, i dont know....

Re:Pebble in a shoe?

[amicusNYCL]

I can't think of none, *wink wink*, maybe someone who does not like stuff licensed under gpl, *nudge nudge*

No less than three governments are currently trying to contain revolutions or mass protests. Why can't one of them be launching attacks against open-source tools to help people communicate?

seems to be up for me

[ravenspear]

sourceforge.net

Re:seems to be up for me

[Migala77]

Oh great, now you've slashdotted it, soon it will be down again!

Password Database stolen?

[Securityemo]

Since they took down SFTP access, presumably someone got their hands on passwords/the password database.

Slashdot

[chargersfan420]

Good thing Slashdot is still up and running!

Unless... it was replaced with an impostor with some bad design decisions!

Re:Slashdot

I knew something was suspicious with cmdrBurrito

Re:Slashdot

[sorak]

Good thing Slashdot is still up and running!

Unless... it was replaced with an impostor with some bad design decisions!

So the bad news is that slashdot got hacked. The good news is that they fixed Idle.

Re:Slashdot

[demonbug]

Good thing Slashdot is still up and running!

Unless... it was replaced with an impostor with some bad design decisions!

So the bad news is that slashdot got hacked. The good news is that they fixed Idle.

Nope, I can still see it.

Re:Slashdot

[sznupi]

If the goal of the attacks turns out to be corruption of the new Slashcode / its SF project... is there anybody here who would be really surprised? ;)

Re:Slashdot

[ushere]

and a leaning to the left - which cuts off half of every letter in the left margin.....

Re:Slashdot

[tehcyder]

Good thing Slashdot is still up and running!

Unless... it was replaced with an impostor with some bad design decisions!

I see this site's owners are preparing themselves a get-out-of-jail-free card.

"See, it wasn't us! Do you seriously believe that a proper company could have fucked up so obviously and so badly?!"

possible explanation

http://www.exploit-db.com/papers/15823/

You would think that the authors of Ettercap, one of the most popular
whitehat pentesting tools, would know the basics of security.
Apparently they don't, or they just don't give a shit about what
happens to their users.

So, why is their website so insecure? Ettercap's message board is
hosted at Sourceforge, so they share a server with thousands of other
customers. Every single customer is able to execute commands and
access the other project directories. Pretty stupid, eh? You only need
to find one hole in one hosted site and you can access ALL the project
databases. Of course that isn't ALoR's fault, it's Sourceforge's
fault. Regardless, people who care about security and data integrity
wouldn't use such a shitty provider, would they?

Re:possible explanation

[Securityemo]

So, basically, there was no compartmentalization at all (chroot, etc.) between project web pages/data, and as anyone hosted there could upload anything to their web page, it was just a matter of time? How did this not happen earlier, if not through someone just uploading a shell to their own webpage?

Re:possible explanation

[Securityemo]

Too late, the bomber is already on it's way. Just jack a vespa and pray that you clear the blast radius.

Re:possible explanation

ok.

Sent from my iPhone

Re:possible explanation

[Migala77]

darn, messed up the formatting.

Looks like Slashdot is as insecure as SourceForge, you've messed up the whole website!

Re:possible explanation

[FlyingBishop]

I'm going to feel a lot less sheepish about my desire to fork any project I find on Sourceforge and throw it up on Github after this.

Re:possible explanation

[tibman]

That doesn't make any sense.

Re:Why not slashdot?

[SadButTrue]

I like the new layout, but I want the old icons back

Crazy or Stupid

[MonsterTrimble]

The attacker(s) really must be either. Taking down a benign and beloved website which is frequented by a legion of genius coders is really asking for it.

Re:Crazy or Stupid

[FunPika]

Meh they could have done worse...they could have attacked 4chan, Wikileaks, or another site that is likely to get the whole of Anon on their asses. At worse all that would happen to them on Slashdot/Sourceforge would be us finding out a link to a website run by the attackers, posting a link to it on the front page, and letting the /. effect do the rest.

Re:Crazy or Stupid

[f3rret]

Honestly though I'm fairly certain that 4chan has 'hacked' itself a number if times. Seriously, I'm not sure where they organize their little raids but there's a board (well or some boards) somewhere where IPs are posted for that hideously stupid LOIC program they use for their little DDoS attacks; since most of the people there are presumably completely ignorant script kiddies, it'd be trivial for someone who was bored or had some beef with 4chan to post the IP of 4chan there and the legions of idiots would happily input it into their version of LOIC and voila 4chan hacks itself.

Up for me

[TheDigitalNinja]

Site seems to be up and working fine for me. All the way through to downloading code and executables.

Take note when people post exploits

This was posted on Full Disclosure 4 days ago. http://seclists.org/fulldisclosure/2011/Jan/424

Seems they left the backdoor open even after being notified.

Re:Take note when people post exploits

[Securityemo]

Mod parent up, I should have checked there before starting to ramble. Interesting thing I noticed though: that paper from exploitdb claims that those happy ninjas had access to the ettercap project account for the past 5 years.

It backfired

[CheerfulMacFanboy]

Somebody tried to fix the new Slashdot UI code - and it was also used by SourceForge?

Re:It backfired

[djdevon3]

Yeah someone really didn't like the new design. Took them a couple days to get in. I'll bet that's what this is about... seriously.

SVN may be up, but SVN browsing is not

[Animats]

SVN may be up, but SVN browse code (via a web browser, what they call "ViewVC") is still failing.

Back up

[pilkch]

"the site is up, and SVN is available, though CVS isn't" And nothing of value was lost.

Receiving spam from username@users.sourceforge.net

[nicodoggie]

I just received SPAM mail from my sourceforge account

username@users.sourceforge.net

Look at this girl who wants to get married and what people write about her on the forum http://pro-dota.com/forum/viewtopic.php?f=6&t=370

The hackers at least got hold of the users' details. There must be better places to get that info. Wonder what else they've gone through

Switch already!

[Chemisor]

> SVN is available, though CVS isn't

Perhaps this is a good time to consider upgrading to git, eh? Nothing like a server outage to remind you of the problems associated with a central repository, which you probably haven't even backed up.

Re:Why not slashdot?

[tehcyder]

I like the new layout, but I want the old icons back

Don't fucking encourage them!

Re:Bullies!

[tehcyder]

This is the ultimate in bullying someone that doesn't deserve it. Kinda like the poor fat kid in middle school that got beat up by the entire football team because they didn't like the way I smelled.

I hope that you vowed to track them all down as adults, and ruin their lives one by one, causing one to go to prison for life for distributing child pornography, another to be executed for high treason by supplying atomic secrets to North Korea, another to be cast into the hellish undersea domain of The Elder Ones and yet another to be sold to Al Qaida as target practice for rabies grenades, until finally, the team captain came to you, begging on his knees, for you just to finish him quickly with a bullet between the eyes?

sourceforge and breach

[extraexploit]

As already written on fd mailing list I have post something more about this attack. Is interesting show how from a skeptical point of view of someone now finally is better understanding of the scope of this attack. My post about: "the sourceforge entry point seems still active" http://extraexploit.blogspot.com/2011/01/sourceforge-entry-point-seems-still.html and "some considerations on Ettercap source code repository breach" http://extraexploit.blogspot.com/2010/12/some-considerations-on-ettercap-source.html (about 1 month ago before the recently admission of sourceforge team). Regards.