Apache.org hit by XSS, bruteforce attack
The Apache Software Foundation is the latest victim of a targeted attack aimed at its infrastructure – more specifically, at the SliceHost server (brutus.apache.org) hosting their issue-tracking software (Atlassian JIRA).
The Foundation is warning users of the Apache hosted JIRA, Bugzilla, or Confluence that a hashed copy of their password has been compromised. Also, that if a user logged into the Apache JIRA instance between April 6th and April 9th, he should consider the password as compromised, because the attackers changed the login form to log them.
The attack started on April 5th, when the attackers opened a new issue containing a text with the claim that they encountered an error while browsing some projects in JIRA, and a TinyURL link that led the Apache administrators to a page containing a cross site scripting (XSS) attack aimed at stealing cookie sessions from the logged-in user. Simultaneously, the JIRA login.jsp was targeted by a brute force attack.
On April 6th, one of the attack vectors yielded access and the attackers managed to gain administrator privileges on a JIRA account. “The path they chose was configured to run JSP files, and was writable by the JIRA user,” says in the official notice. “They then created several new issues and uploaded attachments to them. One of these attachments was a JSP file that was used to browse and copy the filesystem. The attackers used this access to create copies of many users’ home directories and various files. They also uploaded other JSP files that gave them backdoor access to the system using the account that JIRA runs under.”
Three days later, the attackers began collecting and saving passwords at login. They tricked the members of the the Apache Infrastructure team into believing their passwords has been reset and collected their passwords as they changed them back.
Unfortunately, one of those passwords matched one on a local user account on brutus.apache.org. From then on, the attackers managed to gain full access to the machine, then to minotaur.apache.org (aka people.apache.org).
The Apache team started noticing something was wrong some 6 hours after the attackers began resetting the passwords, and started shutting down everything and notifying Atlassian and SliceHost.
As of April 13th, Atlassian patched JIRA. JIRA and Bugzilla are now back online, but Confluence is still down.
For more details about what worked and what didn’t during this defensive action, and about the changes this attack brought to the Apache infrastructure and policies, read the original post by the Apache Infrastructure Team.