Hackers break into two FreeBSD Project servers using stolen SSH keys

Users who installed third-party software packages distributed by FreeBSD.org are advised to reinstall their machines

Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project's security team warned.

Intrusions on two machines within the FreeBSD.org cluster were detected on Nov. 11, the FreeBSD security team said Saturday. "The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution," said a message on the project's public announcements mailing list.

The two compromised servers acted as nodes for the project's legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website.

The incident only affected the collection of third-party software packages distributed by the project and not the operating system's "base" components, such as the kernel, system libraries, compiler or core command-line tools.

The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.

Even though the team did not find any evidence of the third-party software packages being modified by the hackers, they cannot exclude this possibility.

"We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors," the team said. "Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources."

The package sets currently available for all versions of FreeBSD have been validated and none of them have been altered in any way, the team said.

As a result of the incident, the FreeBSD Project plans to speed its process of deprecating legacy distribution services, like those based on CVSup, in favor of the more robust Subversion system. The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.

This is not the first time an open-source software project had to deal with an intrusion because of compromised SSH authentication keys. In August 2009, the Apache Project was forced to shut down its primary Web and mirror servers after discovering that hackers used an SSH key associated with an automated backup account to upload and execute malicious code on some of the servers.

"This is a hearty reminder that a chain is only as strong as its weakest link," said Paul Ducklin, the head of technology for Asia Pacific at antivirus vendor Sophos, in a blog post Sunday. "In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access -- whether those are servers, laptops or even mobile devices."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags sophosApache Project was forced to shut down its primary Web and mirror serversintrusionsecurityAccess control and authentication

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?