Main Stories
Slash Boxes

Slash Open Source Project

Slashcode Log In

Log In

[ Create a new account ]

cvs.slashcode.com Compromised; No Code Altered; CVS is Back

posted by jamiemccarthy on 02:30 PM January 27th, 2004   Printer-friendly   Email story
On or around November 10, 2003, the cvs.slashcode.com machine was compromised by an unauthorized attacker. This raises obvious questions about the integrity of the Slash codebase as provided by cvs from that machine; here are the answers.

As many of you have noticed, in early January, that machine was taken offline. Since that time, the Slash programmers have thoroughly audited the entire codebase. We conclude that no unauthorized changes were made -- neither to the publicly-available code as served from that machine, nor to the private code which is used internally on OSDN websites.

Nevertheless, we advise the maintainers of Slash sites which were using post-2.2.6 code from CVS to take several steps to ensure the integrity of their code. Also, to continue accessing new CVS code, it will be necessary to switch to the code's new CVS server at SourceForge.net; please click Read More for more information.

Although we have carefully inspected the entire CVS history of the Slash code as it existed at the moment the compromised machine was taken offline, and have concluded that it is untouched, there exists the possibility that unauthorized code was delivered by CVS to site administrators.

We want to emphasize that the possibility of this is remote. The intrusion was with a rootkit and the attacker appears to have taken no special actions with the machine, perhaps not even realizing its significance.

Nevertheless, prudent Slash site administrators who were/are using CVS code, and accessed CVS between early November and the time cvs.slashcode.com was taken offline in December, should take this opportunity to compare their last CVS download against the known-good CVS code now on SourceForge.net.

Confirming CVS Checkout Integrity

Slashcode CVS has moved from cvs.slashcode.com to cvs.sourceforge.net. Follow these steps if you used cvs.slashcode.com since early November. To do this, you will not need to change your old checkout of Slash; in fact, you might want to make a copy of it now so you have a record.

First, you need to determine what time or tag was the latest change to your old Slash checkout, and compare that checkout to a fresh checkout from that same time or tag. This will let you make sure that your old code was not compromised in any way.

If you were going by CVS tags as we recommend, and you know the last tag you used (maybe check the end of the sql/mysql/updates file), this will be easy.

If you weren't going by CVS tags, you'll need to determine the date of the last checkout of your Slash code from cvs.slashcode.com. One way to do this might be to check the timestamp on your CVS/Entries file. Another might be:

find yourcvsdir -mtime -40 | xargs ls -ld

which would list all files changed in the last 40 days.

Next, visit https://sourceforge.net/cvs/?group_id=4421 and read the instructions for checking out the current known-good CVS version anonymously using pserver. Then perform a checkout into a new directory; the command for this will be:

cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ slashcode login
(just hit return when it asks for a password)
cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ slashcode co slash

Then, turn the clock back on that checkout to your last CVS checkout from cvs.slashcode.com. If you were on tag R_2_3_0_113, you would do:

cvs update -r R_2_3_0_113

If instead you knew your old checkout's time precisely, you might do:

cvs update -D '2003-12-13 14:15'

Finally, compare that new, known-good code against the code from your last checkout from cvs.slashcode.com. You could use, for example, GNU diff:

diff -r -xCVS -N -U3 slash.cvs.old slash.cvs.new

With the time or tag synchronized, any changes that you see should be your own. If you see any differences between your old codebase and the new known-good code that you don't recognize and/or can't explain, then we should make every attempt to reconcile those anomalies.

We want to know about anomalies, and we will help try to explain them. Please email us at security@slashcode.com. We are also available in the #slash channel on irc.slashnet.org, and you are welcome to post a comment on this story with any questions you may have.

Converting an Existing CVS Checkout to SF.Net

If you have not made any changes to the code you have been using from CVS, you can simply check out a new version and move your old code out of the way (or remove it). Again, see https://sourceforge.net/cvs/?group_id=4421 for instructions on SourceForge.net CVS.

On the other hand, if you have made substantial changes to our code, you will want to rewrite your CVS files, to tell CVS to talk to the new server.

Fortunately, this is simple. In each CVS directory in your checkout, rewrite the Root file to contain:

:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sl ashcode

One way to do this is using find, xargs, and perl. In the top directory of your old cvs checkout, try:

find . -type f -name Root | xargs perl -lpi -e '$_=q{:pserver:anonymous@cvs.sourceforge.net:/cvsr oot/slashcode}'

Once you verify your CVS/Root files look OK, cvs update should work normally.

Final Notes

The cvs.sourceforge.net server is heavily loaded; if you get an error, keep trying.

As always, please report security issues with the Slash code to security@slashcode.com.

We apologize for the long delay in restoring CVS access and making this information known, but we wanted to be absolutely sure that no unauthorized changes were made. Thank you for your patience.

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.
  • I was wondering what had happened. Couldn't find any info anywhere about what was going on. Glad it's back though, Slashcode r0x0rz meh b0x0rz
  • I've been really champing at the bit to grab a new CVS snapshot. Now that I know the full story, I'm glad to know you guys took your time to make things right, thanks for that.

    One related thing I'd like to know more about - merging the latest CVS template changes with template customizations I've made. I'm only on my second incarnation of my slash site, and I've never upgraded (I've just done two fresh installs). Since templates are stored in the slash database, I take it there are some extra steps req
    • The easiest way to do what you want is to check out the CVS code, then make your template customizations directly to the checked-out files, not using the template editing tools on the website.

      If you then do a "cvs update", our fixes and improvements will be added to your checked-out files, but your changes will remain intact.

      (If one of our changes and your changes should happen to affect the same lines of code, CVS will warn you with a "C" in the left margin. You can grep the codebase on "<<<

  • and then there is BitKeeper, and a few other SCM's out there. Why stick with CVS?
    --


    "How about you interface with my ass? By biting it!" --Bender
    • because cvs kicks ass!! :)

      well, honestly, it'd probably be a pain in the ass for them to switch. they'd have to setup their own srccode_server again. and with them switching to use sf's, that's one server they don't have to maintain (or, minimally, let outside public access hit it)
      --
      lottadot [lottadot.com]
      • True, and very, very good points.

        However, just about anything is better than CVS. BK in particular, though it has the disadvantage of not being free.

        --


        "How about you interface with my ass? By biting it!" --Bender
  • I'm currently in the process of deploying a new slashsite running 2.2.6. I was wondering if I should upgrade to CVS or not. What are the benefits of doing so? Is 2.2.6 secure or are their known security problems with it? Also I understand that the slashcode people don't have time to support upgrading to CVS from 2.2.6 but are there any major differences that require things like database schema modifications, etc.? New variables perhaps?
    • I was wondering if I should upgrade to CVS or not.

      Sure. I did. Lots of us did.

      Is 2.2.6 secure or are their known security problems with it

      Look at the sourceforge Slash project page. Read the bugs list. None that I'm aware of, if that helps you.

      lso I understand that the slashcode people don't have time to support upgrading to CVS from 2.2.6

      Not true. Where did you read this? There are directions on how to do this in the documentation that comes with Slash.

      are there any major differences that req
      --
      lottadot [lottadot.com]
      • >> lso I understand that the slashcode people don't have time to support upgrading to CVS from 2.2.6

        > Not true. Where did you read this? There are directions on how to do this in the documentation that comes with Slash.

        I skimmed through the INSTALL file and must have missed the two lines about upgrading 2.2 -> CVS. I just assumed at that point that the developers weren't providing any support at all and I'd have to wait for 2.3.0.

        Thanks for the info though, I'm in the process of upgra

        • well i'm stuck trying to upgrade the database. I keep getting errors as I run through the upgrades file. I even started doing it line by line and came across problems throughout it when trying to upgrade from 2.2.6. Something tells me hacking this upgrades file to actually make it work isn't going to be easy.

          Can someone tell me if they just paste everything in and ignore all the errors if it will just work (or is it designed to?). My first error for example is about the "people" table which doesn't exi
    • The INSTALL file says:

      To upgrade from 2.2.x to the CVS tree, you will need to follow the instructions in the sql/mysql/upgrades file. At the moment, these are just SQL commands you will need to issue, but read carefully because you may have to use judgement and issue command-line commands and so on. (We are working on a tool to automate this process.) Once you are upgraded to, or have installed, a given CVS tag, upgrading to later CVS tags is simply a matter of following along

  • Bad luck people. It is so stressful when you discover a machine has been rooted. The paranoia you have to have is not pleasant.

    Thanks for the hard work sorting this out.
    --
    http://news.DiverseBooks.com/ SF and Computing Book News
  • for those of you who have the slash src code checked out, and have other things (plugins, themes, etc) checked out from *other* cvs servers, you'll need to update your 'Root' files as well. However, if you do the above, you'll mess up existing accurate Root files.

    Here's one method to change them (worked on an OSX box, and a linux box, ymmv):

    grep ":pserver:anonymous@cvs.slashcode.com:/cvsroot/sla shcode" -l * -r | xargs perl -lpi -e '$_=q{:pserver:anonymous@cvs.sourceforge.net:/cvsr oot/slashcode}'

    on ir
    --
    lottadot [lottadot.com]