Slash Open Source Project

Title Compromised; No Code Altered; CVS is Back
Date    Tuesday January 27 2004, @02:30PM
Author    jamiemccarthy

On or around November 10, 2003, the machine was compromised by an unauthorized attacker. This raises obvious questions about the integrity of the Slash codebase as provided by cvs from that machine; here are the answers.

As many of you have noticed, in early January, that machine was taken offline. Since that time, the Slash programmers have thoroughly audited the entire codebase. We conclude that no unauthorized changes were made -- neither to the publicly-available code as served from that machine, nor to the private code which is used internally on OSDN websites.

Nevertheless, we advise the maintainers of Slash sites which were using post-2.2.6 code from CVS to take several steps to ensure the integrity of their code. Also, to continue accessing new CVS code, it will be necessary to switch to the code's new CVS server at; please click Read More for more information.

Although we have carefully inspected the entire CVS history of the Slash code as it existed at the moment the compromised machine was taken offline, and have concluded that it is untouched, there exists the possibility that unauthorized code was delivered by CVS to site administrators.

We want to emphasize that the possibility of this is remote. The intrusion was with a rootkit and the attacker appears to have taken no special actions with the machine, perhaps not even realizing its significance.

Nevertheless, prudent Slash site administrators who were/are using CVS code, and accessed CVS between early November and the time was taken offline in December, should take this opportunity to compare their last CVS download against the known-good CVS code now on

Confirming CVS Checkout Integrity

Slashcode CVS has moved from to Follow these steps if you used since early November. To do this, you will not need to change your old checkout of Slash; in fact, you might want to make a copy of it now so you have a record.

First, you need to determine what time or tag was the latest change to your old Slash checkout, and compare that checkout to a fresh checkout from that same time or tag. This will let you make sure that your old code was not compromised in any way.

If you were going by CVS tags as we recommend, and you know the last tag you used (maybe check the end of the sql/mysql/updates file), this will be easy.

If you weren't going by CVS tags, you'll need to determine the date of the last checkout of your Slash code from One way to do this might be to check the timestamp on your CVS/Entries file. Another might be:

find yourcvsdir -mtime -40 | xargs ls -ld

which would list all files changed in the last 40 days.

Next, visit and read the instructions for checking out the current known-good CVS version anonymously using pserver. Then perform a checkout into a new directory; the command for this will be:

cvs slashcode login
(just hit return when it asks for a password)
cvs -z3 slashcode co slash

Then, turn the clock back on that checkout to your last CVS checkout from If you were on tag R_2_3_0_113, you would do:

cvs update -r R_2_3_0_113

If instead you knew your old checkout's time precisely, you might do:

cvs update -D '2003-12-13 14:15'

Finally, compare that new, known-good code against the code from your last checkout from You could use, for example, GNU diff:

diff -r -xCVS -N -U3 slash.cvs.old

With the time or tag synchronized, any changes that you see should be your own. If you see any differences between your old codebase and the new known-good code that you don't recognize and/or can't explain, then we should make every attempt to reconcile those anomalies.

We want to know about anomalies, and we will help try to explain them. Please email us at We are also available in the #slash channel on, and you are welcome to post a comment on this story with any questions you may have.

Converting an Existing CVS Checkout to SF.Net

If you have not made any changes to the code you have been using from CVS, you can simply check out a new version and move your old code out of the way (or remove it). Again, see for instructions on CVS.

On the other hand, if you have made substantial changes to our code, you will want to rewrite your CVS files, to tell CVS to talk to the new server.

Fortunately, this is simple. In each CVS directory in your checkout, rewrite the Root file to contain: ashcode

One way to do this is using find, xargs, and perl. In the top directory of your old cvs checkout, try:

find . -type f -name Root | xargs perl -lpi -e '$_=q{ oot/slashcode}'

Once you verify your CVS/Root files look OK, cvs update should work normally.

Final Notes

The server is heavily loaded; if you get an error, keep trying.

As always, please report security issues with the Slash code to

We apologize for the long delay in restoring CVS access and making this information known, but we wanted to be absolutely sure that no unauthorized changes were made. Thank you for your patience.


  1. "" -
  2. "" -

© Copyright 2012 - Me, All Rights Reserved

printed from Slashcode, Compromised; No Code Altered; CVS is Back on 2012-02-07 00:24:46