A team of unknown hackers recently engaged in a “brute force” attack against Apache’s servers.
The violent cyber offensive began on April 5th, when hackers compromised a Slicehost server and opened a new issue (INFRA-2591) which contained the following text:
“ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]”
According to Apache, the above-mentioned URL redirected back to the instance of JIRA, at a special URL containing a cross site scripting (XSS) attack.
“The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administrators clicked on the link. This compromised their sessions, including their JIRA administrator rights,” Apache confirmed in an official statement.
“At the same time as the XSS attack, the attackers started a brute force attack against the JIRA login.jsp, attempting hundreds of thousands of password combinations.”
The hackers apparently succeeded in breaching Apache’s defenses on April 6th by gaining administrator privileges on a JIRA account, which was then used to disable notifications for a project and to alter the path used to upload attachments. The designated path was subsequently configured to run JSP files, while several new issues were created along with uploaded attachments.
One of the attachments was apparently a JSP file that was used to browse and copy the filesystem, which granted the hackers access to create copies of many users’ home directories and various files.
“They also uploaded other JSP files that gave them backdoor access to the system using the account that JIRA runs under. By the morning of April 9th, the attackers had installed a JAR file that would collect all passwords on login and save them,” explained Apache.
“They then sent password reset mails from JIRA to members of the Apache Infrastructure team. These team members, thinking that JIRA had encountered an innocent bug, logged in using the temporary password sent in the mail, then changed the passwords on their accounts back to their usual passwords.”
However, one of the passwords happened to be identical to the password belonging to a local user account on brutus.apache.org – with the local user account having full sudo access.
The attackers were therefore able to login to brutus.apache.org and gain full root access to the machine, which hosted the Apache installs of JIRA, Confluence and Bugzilla.
Once they had root on brutus.apache.org, the attackers discovered that several users had cached Subversion authentication credentials and deployed the passwords to log in to minotaur.apache.org (aka people.apache.org), Apache’s main shell server.
“About 6 hours after they started resetting passwords, we noticed the attackers and began shutting down services. We notified Atlassian of the previously unreported XSS attack in JIRA and contacted SliceHost. Atlassian was responsive. Unfortunately, SliceHost did nothing and 2 days later, the very same virtual host (slice) attacked Atlassian directly,” stated Apache.
“We started moving services to a different machine, thor.apache.org. The attackers had root access on brutus.apache.org for several hours, and we could no longer trust the operating system on the original machine. By April 10th, JIRA and Bugzilla were back online.”