Posts Tagged SSH Hacking
Apache.org: What didn’t work?
Posted by Mourad Ben Lakhoua in Vulnerabilities & attacks, Web Security on September 4, 2009
Further to the web incident of Apache software foundation in which the website has gone offline on Monday, a presentation has been published to clarify the cause of this incident and measures that have been taken. Providing details can help others to learn mistakes and be ready for any attack.
According to the analysis, the main cause of this attack was a vulnerability in the SSH key management. The story started when the server that hosted the apachecon.com (dv35.apachecon.com) website had been compromised which was running CentOS The attackers fully compromised this machine, including gaining root privileges, and destroyed most of the logs, making it difficult for administrators to confirm the details of everything that happened on the machine.
Once the attackers had gained shell access, they added CGI scripts to the document root folders of several Apache Software Foundation websites. A regular, scheduled rsync process copied these scripts to the production web server, eos.apache.org, where they became externally visible. The CGI scripts were used to obtain remote shells, with information sent using HTTP POST commands.
After this attack administrators created a new SSH-key with a minimum key length of at least 4096 bits , enforced the use of the from=”" and command=”" strings in the authorized keys file on the destination backup server and looking for disabling CGI support on most website systems.
Well here you can see the importance of capturing logs and how they are important to spot potential security issue, there is many types for log management for example if you have a big network with a various system you would better focus on a good correlation engine. If a small corporate with a small network infrastructure than its better to focus on the forensic capabilities so you can track down violations and recover your losses in a court of law. It’s up to you now to decide on what will be the focus.
make sure you subscribe to my RSS feed!
Apache Website Owned!
Posted by Mourad Ben Lakhoua in Cybercrime, News, Web Security on August 31, 2009
Apache Software Foundation website was down last Friday after hackers compromised SSH key to one of their main servers.
Secure Shell is a very popular technology that can provides a secure servers remote administration, well if the hackers manage to upload a rootkit or Trojan over the download package of apache website, this can cause a great damage to a huge number of website especially that according to the latest stats from Netcraft more than half of all web servers widely are running Apache.
On Friday Apache Software foundation has made an official note as follows:
On August 27th, starting at about 18:00 UTC an account used for automated backups for the ApacheCon website hosted on a 3rd party hosting provider was used to upload files to minotaur.apache.org. The account was accessed using SSH key authentication from this host.
To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines.
While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided.
Here you can find the screenshot posted by Trendmicro Blog,the identity and reason of this attack still not discovered yet but sharing the information of this incident is very good point and can help to build a solid trust in The Apache Software Foundation.
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments