Apache.org hit by SSH key compromise

Apache.org hit by SSH key compromise

Summary: The open-source Apache Software Foundation pulled its Apache.org Web site offline for about three hours today because of server hack caused by a compromised SSH key.

SHARE:
TOPICS: Open Source
12

The open-source Apache Software Foundation pulled its Apache.org Web site offline for about three hours today because of server hack caused by a compromised SSH key.

A brief message posted on the site (see image below) made it clear the compromise was "not due to any software exploits in Apache itself", but was actually caused by a compromised SSH key.

The group did not say which Apache software servers were affectedUPDATE: An initial report from Apache is now available.

* Screenshot via The H Security. More at Threatpost.com.

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • SSH Key password

    Was a password not required as well? Good security would dictate a hardened password in addition to the SSH key before access was granted. It has been shown several time that a key alone is not adequate. I would like to hear more about how the breach occurred.
    bjbrock
    • Why allow keys for backup to come inbound??

      I understand the need to use SSH for off-site backup on occasion, but in
      addition to bjbrock's point (which it sounds like there was not a password)
      why would keys used to copy OUT a backup be allowed to come back in?
      It certainly could be that their backup provider was compromised in some
      way, but using a secure password, and not allowing inbound shell with
      that account would have easily stopped this type of attack.

      Chet Wisniewski
      www.sophos.com
      Chester Wisniewski - Sophos
  • I'm wondering if this is a fallout from the Debian OpenSSH fiasco

    That particular bug caused all SSH keys (and
    more) generated by a Debian system - or by any
    derived distros such as Ubuntu - to have very
    low entropy and easily guessable.

    Even though Apache is on FreeBSD servers their
    certificate provider could have been using a
    Debian system for SSH generation. It was a
    nasty bug which cost a lot of $$$ because
    customers had to re-pay to have good keys re-
    issued.

    It is good to see Apache Software Foundation
    being upfront, candid and very transparent
    about it. Kudos.

    Despite this incident Apache seems to on top of
    things and - above all - forthcoming. They
    deserve respect. Somehow I don't think Apple,
    Microsoft or Google would be as informative as
    Apache are.
    honeymonster
    • You give Apache far too much credit

      They are basically pointing the finger, saying "it's not our fault, it was an SSH key". Of course they are coming out and being up front and honest about everything. I promise you the other companies you mentioned would be doing the same thing. But you can also bet that if it had been due to a major Apache vulnerability they would not have been so telling immediately. They would have double and triple checked to make sure it wasn't someone else's fault before making a statement of any sort.

      However the scenario you laid out is possible and I agree with that. I just think you should have left out the "dig" at Apple, MS and Google as they would have reacted the exact same way.
      LiquidLearner
      • Actually...

        ....they wouldn't. Apache has far more to loose by hiding something. Unlike the companies listed their popularity is not heavily based on marketing and perception. Thats not a knock...thats just business. The others can market their way around a problem like this. Apache can't. They only have their track record to live on. Once again thats just business.
        storm14k
        • I'm not discounting

          that overall Apache would have been more honest than the other companies had it been their fault but I can assure you they would not have been so quick to give out information. They would have spent additional time ensuring that it was actually their fault and there wasn't some way to blame someone else. And that's not a knock either, it's just business. As you put it.
          LiquidLearner
          • Its still more damaging to them...

            ...to stall rather than just be upfront if it WAS
            their fault. Once again all they have is their rep
            and no marketing campaign to improve it. Both
            situations would be damaging but if its their
            fault then thats one knock against them. If its
            their fault and they stall then thats two knocks
            against them. Its just easier to tell it.
            storm14k
  • RE: Apache.org hit by SSH key compromise

    Compromised key does not necessarily mean technically compromised, humans are usually the weakest link in any security system let's face it. Could simply be a rogue user who had, at one time if not now, legitimate access.
    nigebj
  • ssh over public internet

    Does this mean that Apache has servers listening for ssh traffic over the public Internet? No VPN?
    davidr69
  • RE: Apache.org hit by SSH key compromise

    Thanks for the information.The article was very informative.I liked the article and I expect more article of this kind in future from You.

    Thanks
    Storage Containers
    http://www.boxtcontainers.com
    Stoarge Containers
  • RE: Apache.org hit by SSH key compromise

    Thanks for the information.I expect more articles from you in future.The article was very helpful and informative.

    Thanks
    Storage Containers
    http://www.boxtcontainers.com
    Stoarge Containers
  • RE: Apache.org hit by SSH key compromise

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut