Slashcode
Slash Open Source Project
http://www.slashcode.com/

Title    cvs.slashcode.com Compromised; No Code Altered; CVS is Back
Date    Tuesday January 27 2004, @02:30PM
Author    jamiemccarthy
Topic   
http://www.slashcode.com/article.pl?sid=04/01/27/176253

On or around November 10, 2003, the cvs.slashcode.com machine was compromised by an unauthorized attacker. This raises obvious questions about the integrity of the Slash codebase as provided by cvs from that machine; here are the answers.

As many of you have noticed, in early January, that machine was taken offline. Since that time, the Slash programmers have thoroughly audited the entire codebase. We conclude that no unauthorized changes were made -- neither to the publicly-available code as served from that machine, nor to the private code which is used internally on OSDN websites.

Nevertheless, we advise the maintainers of Slash sites which were using post-2.2.6 code from CVS to take several steps to ensure the integrity of their code. Also, to continue accessing new CVS code, it will be necessary to switch to the code's new CVS server at SourceForge.net; please click Read More for more information.

Although we have carefully inspected the entire CVS history of the Slash code as it existed at the moment the compromised machine was taken offline, and have concluded that it is untouched, there exists the possibility that unauthorized code was delivered by CVS to site administrators.

We want to emphasize that the possibility of this is remote. The intrusion was with a rootkit and the attacker appears to have taken no special actions with the machine, perhaps not even realizing its significance.

Nevertheless, prudent Slash site administrators who were/are using CVS code, and accessed CVS between early November and the time cvs.slashcode.com was taken offline in December, should take this opportunity to compare their last CVS download against the known-good CVS code now on SourceForge.net.

Confirming CVS Checkout Integrity

Slashcode CVS has moved from cvs.slashcode.com to cvs.sourceforge.net. Follow these steps if you used cvs.slashcode.com since early November. To do this, you will not need to change your old checkout of Slash; in fact, you might want to make a copy of it now so you have a record.

First, you need to determine what time or tag was the latest change to your old Slash checkout, and compare that checkout to a fresh checkout from that same time or tag. This will let you make sure that your old code was not compromised in any way.

If you were going by CVS tags as we recommend, and you know the last tag you used (maybe check the end of the sql/mysql/updates file), this will be easy.

If you weren't going by CVS tags, you'll need to determine the date of the last checkout of your Slash code from cvs.slashcode.com. One way to do this might be to check the timestamp on your CVS/Entries file. Another might be:

find yourcvsdir -mtime -40 | xargs ls -ld

which would list all files changed in the last 40 days.

Next, visit https://sourceforge.net/cvs/?group_id=4421 and read the instructions for checking out the current known-good CVS version anonymously using pserver. Then perform a checkout into a new directory; the command for this will be:

cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ slashcode login
(just hit return when it asks for a password)
cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/ slashcode co slash

Then, turn the clock back on that checkout to your last CVS checkout from cvs.slashcode.com. If you were on tag R_2_3_0_113, you would do:

cvs update -r R_2_3_0_113

If instead you knew your old checkout's time precisely, you might do:

cvs update -D '2003-12-13 14:15'

Finally, compare that new, known-good code against the code from your last checkout from cvs.slashcode.com. You could use, for example, GNU diff:

diff -r -xCVS -N -U3 slash.cvs.old slash.cvs.new

With the time or tag synchronized, any changes that you see should be your own. If you see any differences between your old codebase and the new known-good code that you don't recognize and/or can't explain, then we should make every attempt to reconcile those anomalies.

We want to know about anomalies, and we will help try to explain them. Please email us at security@slashcode.com. We are also available in the #slash channel on irc.slashnet.org, and you are welcome to post a comment on this story with any questions you may have.

Converting an Existing CVS Checkout to SF.Net

If you have not made any changes to the code you have been using from CVS, you can simply check out a new version and move your old code out of the way (or remove it). Again, see https://sourceforge.net/cvs/?group_id=4421 for instructions on SourceForge.net CVS.

On the other hand, if you have made substantial changes to our code, you will want to rewrite your CVS files, to tell CVS to talk to the new server.

Fortunately, this is simple. In each CVS directory in your checkout, rewrite the Root file to contain:

:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sl ashcode

One way to do this is using find, xargs, and perl. In the top directory of your old cvs checkout, try:

find . -type f -name Root | xargs perl -lpi -e '$_=q{:pserver:anonymous@cvs.sourceforge.net:/cvsr oot/slashcode}'

Once you verify your CVS/Root files look OK, cvs update should work normally.

Final Notes

The cvs.sourceforge.net server is heavily loaded; if you get an error, keep trying.

As always, please report security issues with the Slash code to security@slashcode.com.

We apologize for the long delay in restoring CVS access and making this information known, but we wanted to be absolutely sure that no unauthorized changes were made. Thank you for your patience.

Links

  1. " https://sourceforge.net/cvs/?group_id=4421" - http://www.slashcode.com/relocate.pl?id=bc8d52254e6bd6047c25b9b9b5f964f7
  2. "security@slashcode.com" - mailto:security@slashcode.com

© Copyright 2012 - Me, All Rights Reserved

printed from Slashcode, cvs.slashcode.com Compromised; No Code Altered; CVS is Back on 2012-02-07 00:24:46