Fedora site hacked

By Fahmida Y. Rashid
2011-01-27

Article Rating:

/ 0

Rate This Article:

Add This Article To:

An attacker stole the account credentials of a contributor to the Fedora Linux project and accessed Fedora servers on Jan. 22. The attack follows other recent cyber-invasions of open source projects, including hacks reported on the Free Software Foundation and ProFTPD.

An attacker attempted to compromise the servers for the Fedora Project, the upstream, community version of the Red Hat Enterprise Linux, but apparently didn't damage any servers or code from the Fedora Linux distribution.

In a Jan. 25 message, titled "A security incident on Fedora infrastructure," Fedora Project leader Jared Smith disclosed that a Fedora contributor's log-in and password credentials were stolen and used to access the systems on Jan. 22.

The account belonged to a contributor who had access to push code packages in the Fedora SCM (software configuration management) system, providing the ability to perform builds and make updates to Fedora packages, according to Smith. The contributor was not a member of any sysadmin or Release Engineering groups, and had only limited privileges on fedorapeople.org, he wrote.

The Fedora Infrastructure Team investigated the incident, and was able to conclude that the attacker did not push any changes to the Fedora SCM, access the project repositories at pkgs.fedoraproject.org, perform any builds or push out any package updates, according to Smith.

"We do not believe that any Fedora packages or other Fedora contributor accounts were affected," and there is "no evidence" that the compromise "extended beyond this single account," he wrote.

What the attacker did manage to do was to change the value of the SSH key saved in the Fedora Accounts System and log in to fedorapeople.org, Smith said.

The breach was discovered because the original account user received an email from Fedora Account System indicating some account details had been changed. As soon as the Infrastructure Team was notified, the compromised account was locked down and a thorough audit of the logs was conducted to track all attacker activity, Smith wrote. The Infrastructure Team took snapshots of all the filesystems the account had access to, and compared it with previous snapshots to ensure no changes had been made.

With the compromise of fedorapeople.org, the attacker could have pushed changes to Fedora's SCM system, but Smith said it wasn't likely. He still encouraged Fedora package maintainers to report anything they considered suspicious.

The account information was "compromised externally," and the "Fedora Infrastructure was not subject to any code vulnerability or exploit," Smith wrote. He reminded contributors of the importance of choosing a strong password and to not reuse their Fedora password on other websites or accounts.

Open season on open source projects?

This is the third attack on an open source project in the past two months. In December, the main source code repository for the Free Software Foundation was shut down after attackers compromised the site's account passwords.

Also in December, attackers hacked ProFTPD servers via an unpatched vulnerability in the application. For three days, anyone downloading the open source file transfer application received an infected version that provided attackers with unauthorized access to their systems. Meanwhile, Apache was hit twice in 2010.

Fedora was compromised once before in 2008. In that incident, both Fedora and Red Hat servers were "illegally accessed", according to a note by Fedora Project Leader Paul Frields at the time. But again, attackers did not have any impact on Fedora Linux or related packages. After the compromise, both Red Hat and Fedora re-issued security keys and improved security practices, even though it meant delaying Fedora product releases.

In other Fedora news, this year’s North America Fedora Users and Developers Conference (FUDCon) will be held at Arizona State University in Tempe, Jan. 29-31. More information may be found at this FUDcon page.

Fahmida Rashid is a writer for our sister publication eWEEK.

Related Stories:

	Discuss Fedora site hacked

	Hmmm ... was the hacker based in Richmond?

	>>> Post your comment now!



	>>> More News Articles >>> More By Fahmida Y. Rashid

Email Article To Friend ♦ Print Version Of Article ♦ PDF Version Of Article

FUEL Database on MontaVista Linux
Whether building a mobile handset, a car navigation system, a package tracking device, or a home entertainment console, developers need capable software systems, including an operating system, development tools, and supporting libraries, to gain maximum benefit from their hardware platform and to meet aggressive time-to-market goals.

Breaking New Ground: The Evolution of Linux Clustering
With a platform comprising a complete Linux distribution, enhanced for clustering, and tailored for HPC, Penguin Computing¿s Scyld Software provides the building blocks for organizations from enterprises to workgroups to deploy, manage, and maintain Linux clusters, regardless of their size.

Data Monitoring with NightStar LX
Unlike ordinary debuggers, NightStar LX doesn¿t leave you stranded in the dark. It¿s more than just a debugger, it¿s a whole suite of integrated diagnostic tools designed for time-critical Linux applications to reduce test time, increase productivity and lower costs. You can debug, monitor, analyze and tune with minimal intrusion, so you see real execution behavior. And that¿s positively illuminating.

Virtualizing Service Provider Networks with Vyatta
This paper highlights Vyatta's unique ability to virtualize networking functions using Vyatta's secure routing software in service provider environments.

High Availability Messaging Solution Using AXIGEN, Heartbeat and DRBD
This white paper discusses a high-availability messaging solution relying on the AXIGEN Mail Server, Heartbeat and DRBD. Solution architecture and implementation, as well as benefits of using AXIGEN for this setup are all presented in detail.

Understanding the Financial Benefits of Open Source
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss.

Embedded Hardware and OS Technology Empower PC-Based Platforms
The modern embedded computer is the jack of all trades appearing in many forms.

Data Management for Real-Time Distributed Systems
This paper provides an overview of the network-centric computing model, data distribution services, and distributed data management. It then describes how the SkyBoard integration and synchronization service, coupled with an implementation of the OMG¿s Data Distribution Service (DDS) standard, can be used to create an efficient data distribution, storage, and retrieval system.

7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.