Home > Security News > SSH key compromise shuts down Apache website
Security News:
EMAIL THIS

SSH key compromise shuts down Apache website

By SearchSecurity.com Staff
28 Aug 2009 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

The Apache website was taken offline for several hours after attackers used a SSH key to access one of its servers.

Apache shut down all its machines as a precaution and switched over to an unaffected European mirror server. On its blog, the Apache Infrastructure TeamApache said it did not believe any end-users or downloads of enormously popular Web server software were affected. The blog also said that the attackers failed to escalate privileges.

Apache stressed that the attack was the result of the compromised SSH key, not an exploit of Apache software. It said it was conducting an audit of all affected machines.

On Thursday, the key was used to access an account used for automated backups for the ApacheCon website. The attackers created several files, including CGI scripts which they used to launch rogue processes this morning on Apache's production Web services.

There was no information on how the attackers were able to get the SSH key. In 2001, an attacker was able to compromise SSH on SourceForge and tunnel to the Apache site when an Apache developer logged into his SourceForge account.



Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting)Open Source Security Tools and ApplicationsIndustryVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Application Attacks (Buffer Overflows, Cross-Site Scripting)
Quiz: How to build secure applications
Black box and white box testing: Which is best?
Adobe warns of critical update for Reader, Acrobat 9.1.3
9 Ways to Improve Application Security After an Incident
Developers Need Help with Security Errors
Buffer overflow tutorial: How to find vulnerabilities, prevent attacks
SQL injection protection: A guide on how to prevent and stop attacks
Experts rebuke programmers who use SQL injection as feature
SANS: Application threats, website flaws pose biggest security threats
Mozilla helps Adobe push out faster patches
Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

Open Source Security Tools and Applications
H.D. Moore on future of Metasploit attack platform
H.D. Moore speaks about Metasploit Project deal, Release 3.3
Screencast: How to launch an OpenVAS scan
Could Metasploit popularity erode?
Metasploit Project acquired by vulnerability management firm Rapid7
Screencast: Smoothwall offers firewall defense in lean times
Screencast: Samurai offers pen-testing nirvana
Rootkit Hunter demo: Detect and remove Linux rootkits
When to use open source security tools over commercial products
Screencasts: On-screen demonstrations of security tools

Industry
Breach forces payroll service provider PayChoice to shut down again
Twitter, Facebook hit by denial-of-service attacks
Is a partnership certification worth the money? Part III -- security
Experts weigh in on spyware's defining moment
Presentation: Employee monitoring -- Balancing best practices and privacy
Presentation: Security budgets -- Getting what you need
Presentation: Understanding business requirements -- A blueprint for digital security
Presentation: Staffing security positions -- How to choose the right personnel
Organized fraud: Internet hackers conduct coordinated hacking attempts
Sarbanes-Oxley issues rattle executives

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
buffer overflow  (SearchSecurity.com)
cache poisoning  (SearchSecurity.com)
cyberterrorism  (SearchSecurity.com)
dictionary attack  (SearchSecurity.com)
directory harvest attack  (SearchSecurity.com)
distributed denial-of-service attack  (SearchSecurity.com)
JavaScript hijacking  (SearchSecurity.com)
ping of death  (SearchSecurity.com)
stack smashing  (SearchSecurity.com)
SYN flooding  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts