Two project servers hosting third-party package code for popular open-source FreeBSD were breached by hackers over the weekend. According to a preliminary report by the FreeBSD team, authentication over SSH was possible using credentials from a legitimate developer.
Â â€œOn Sunday 11 of November, an intrusion was detected on two machines within the FreeBSD.org cluster. The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution,â€ reads the advisory.
Â The FreeBSD infrastructure is divided into two parts: the base (source code for kernel, system libraries, compiler, core tools such as SSH and daemons), and the third-party packages area. Further investigation revealed no modifications to the source code of the third party plugins. Luckily, the breach was only contained in the third-party packages and no modification of these files was made during the attack.
Â â€œWe have found no evidence of any modifications that would put any end user at risk. However, we do urge all users to read the report available at http://www.freebsd.org/news/2012-compromise.html and decide on any required actions themselves. We will continue to update that page as further information becomes known. We do not currently believe users have been affected given current forensic analysis, but we will provide updated information if this changes,â€ states the news update on the projectâ€™s page.
The FreeBSD team has taken all affected machines offline, as well as other machines that might have possible been compromised. The base release media has also been verified for malicious commits.
Â This is not an isolated incident in the open-source world. In 2010, Apache servers that handled issue tracking got compromised via a XSS attack that resulted in hackers gaining administrative access and then root access to a core server in the Apache network.