Apache got hacked

The Apache Software Foundation which coordinates development of the world's most popular web server software, has been the victim of a rather sophisticated online attack, according to an incident report published by the group.

Earlier this month Apache tackled a targeted attack on the server that hosts its issue tracking applications.

The server was running Atlassian JIRA as its issue tracker, and Apache has warned users of the Apache hosted JIRA and Bugzilla or Confluence equivalents that their hashed passwords have been compromised.

"We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords", it added, before suggesting some other possible security measures.

"In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them."

The problems started on April 5th when hackers used a compromised Slicehost server to add a new issue to Apache's logs.

The issue contained a warning, "ive got this error while browsing some projects in jira", along with a tinyurl web link. The link lead users to a cross-site scripting attack, which in turn allowed hackers to steal session cookies relating to JIRA.

Concurrent to this was a brute force attack against Apache's JIRA login.jsp, in which attackers threw hundreds of thousands of password combinations at its servers. One of the attempts was succesful in gaining entry.

"The attackers used this access to create copies of many users' home directories and various files," wrote Apache.

"They also uploaded other JSP files that gave them backdoor access to the system using the account that JIRA runs under."

The attackers then installed a JAR file which was used to collect and save logins and passwords.

By faking a password request email to Apache infrastructure members, the hackers were able to determine what logins would give them root access to the brutus.apache.org machine, which hosts the Apache installs of JIRA, Bugzilla and Confluence.

The Foundation reacted quickly to the attack, and began shutting down the relevant services some eight hours after the hackers began resetting passwords, and moved them to thor.apache.org. By April 13th everything was back to normal.

"We hope our disclosure has been as open as possible and true to the ASF spirit. Hopefully others can learn from our mistakes," the foundation said of the attack.