Heap-um-big problems
Hackers have broken into a server used by the Apache
Software Foundation to keep track of software bugs.
While the attack did not compromise the open-source Web
server's source code repository, they did get their paws on
low-privilege
accounts on another server used to maintain the people.apache.org Web
site. Philip Gollucci, vice president of Apache infrastructure
said that None of the source code was affected in any way.
Apparently the attack used a cross-site scripting bug to
gain access. They then used a password-guessing attack to break into
the Atlassian JIRA software used by Apache. After that it was a simple matter of installing a
password stealing program and gaining full control of the machine. For a while they had access to two other programs hosted
by Apache on the same server, the Confluence wiki program and Bugzilla.
The hackers had control of the server for three days
between April 6 and April 9 The unidentified attackers broke into Apache's JIRA
server on April 6 and had begun stealing user passwords by the time Apache
administrators noticed the issue on April 9. It is the second time that the Apache Software Foundation
has been hit by hackers. Last August intruders were able to break into the
Minotaur server and run their owns scripts on Apache's Web site.