Slashdot Mirror

← Back to Stories (view on slashdot.org)

SourceForge Down After Attack [Updated]

Posted by timothy on from the their-bad-childhood-affects-you dept.

Animats writes "SourceForge, a hosting site for many open source projects, is down today. Management claims they were attacked: 'We detected a direct targeted attack that resulted in an exploit of several SourceForge.net servers, and have proactively shut down a handful of developer centric services to safeguard data and protect the majority of our services.' Currently, CVS and SVN access to source code, even for reading, is unavailable, and there is no announced restoration time." (SourceForge and Slashdot are both part of Geeknet, Inc.) Update: 01/27 22:17 GMT by T : Mark Ramm of SourceForge contributes an update and some clarification: the site is up, and SVN is available, though CVS isn't. There's also a follow-up post on the site's blog.

12 of 143 comments (clear)

  1. Re:Attack by prononymous? by quanticle · · Score: 4, Interesting

    Well, if you wanted to sneak malicious code into an open-source project, cracking its repository might be a good way to do so.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  2. Re:Why by quanticle · · Score: 4, Insightful

    If you're using OSS software on Windows, SourceForge is the place to go. This fact lends support to my hypothesis that the attack was cover for injecting malware into open-source projects. Windows is malware's biggest target, and users are beginning to gravitate towards using open source tools over piracy (mainly due to fears of malware, ironically enough). With that in mind, I guess Sourceforge was a pretty big target for crackers.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  3. Re:Qui bono? by dave562 · · Score: 5, Insightful

    That was my thought. Everyone talks about how OSS is so secure. If you had a bone to pick with that notion, why not go over one of the highest profile examples of OSS? I'm sure that they're running Apache, right? Probably MySQL too? Surely they aren't hosting their sight on IIS and powering it with Asp.Net, are they?

    It would be great if situations like this brought the entire computer using community closer together. The reality is that no matter how epicly great your software might be, there are people out there looking to bring it down. It doesn't matter if you run Microsoft, Apple or OSS. There are bugs in your applications and there are incentives for finding and exploiting those bugs.

  4. Re:Attack by prononymous? by tverbeek · · Score: 5, Funny

    Someone who really doesn't like the new Slashdot design?

    --
    http://alternatives.rzero.com/
  5. Slashdot by chargersfan420 · · Score: 5, Funny

    Good thing Slashdot is still up and running!

    Unless... it was replaced with an impostor with some bad design decisions!

  6. possible explanation by Anonymous Coward · · Score: 5, Interesting

    http://www.exploit-db.com/papers/15823/

    You would think that the authors of Ettercap, one of the most popular
    whitehat pentesting tools, would know the basics of security.
    Apparently they don't, or they just don't give a shit about what
    happens to their users.

    So, why is their website so insecure? Ettercap's message board is
    hosted at Sourceforge, so they share a server with thousands of other
    customers. Every single customer is able to execute commands and
    access the other project directories. Pretty stupid, eh? You only need
    to find one hole in one hosted site and you can access ALL the project
    databases. Of course that isn't ALoR's fault, it's Sourceforge's
    fault. Regardless, people who care about security and data integrity
    wouldn't use such a shitty provider, would they?

  7. Take note when people post exploits by Anonymous Coward · · Score: 5, Interesting

    This was posted on Full Disclosure 4 days ago. http://seclists.org/fulldisclosure/2011/Jan/424

    Seems they left the backdoor open even after being notified.

  8. Re:Why by diamondsw · · Score: 4, Informative

    I have to imagine the majority of users get their stuff second hand through their favorite distro's repository these days.

    Yes, because everyone who uses SourceForge is on Linux. There is such a thing as open source Windows and Mac software you know.

    --
    I don't know what kind of crack I was on, but I suspect it was decaf.
  9. Re:Attack by prononymous? by insertwackynamehere · · Score: 4, Funny

    You just don't get it. Everything in glorious Nippon is perfect! One day, I will travel there and they will embrace me for my love of their cartoons.

    Baka gaijin.

  10. Re:Why by Securityemo · · Score: 4, Insightful

    Have the SF admins been notified of this? And this claim is based on manual binary dissection, not just it tripping AV "behaviour analysis"? And lastly, what are you up to if you're not telling which one?

    --
    Emotions! In your brain!
  11. Re:Qui bono? by dave562 · · Score: 4, Insightful

    It isn't hyperbole when it is trotted out time and time again as one of the benefits of OSS. Stability and Security are two of the corner stones that OSS advocates build their arguments against "closed source" on top of. Some of the others are cost and portability of data.

    To say that "nobody" has claimed that Apache is best ever is just as extreme of a statement as the original one I made about "everybody" talking about how secure OSS is.

  12. Re:Attack by prononymous? by tehcyder · · Score: 4, Informative

    Someone who really doesn't like the new Slashdot design?

    That narrows it down to...oh, probably every fucking person who visits the site.

    --
    To have a right to do a thing is not at all the same as to be right in doing it