SourceForge Down After Attack [Updated]

Animats writes "SourceForge, a hosting site for many open source projects, is down today. Management claims they were attacked: 'We detected a direct targeted attack that resulted in an exploit of several SourceForge.net servers, and have proactively shut down a handful of developer centric services to safeguard data and protect the majority of our services.' Currently, CVS and SVN access to source code, even for reading, is unavailable, and there is no announced restoration time." (SourceForge and Slashdot are both part of Geeknet, Inc.) Update: 01/27 22:17 GMT by T : Mark Ramm of SourceForge contributes an update and some clarification: the site is up, and SVN is available, though CVS isn't. There's also a follow-up post on the site's blog.

Re:Why

[quanticle]

If you're using OSS software on Windows, SourceForge is the place to go. This fact lends support to my hypothesis that the attack was cover for injecting malware into open-source projects. Windows is malware's biggest target, and users are beginning to gravitate towards using open source tools over piracy (mainly due to fears of malware, ironically enough). With that in mind, I guess Sourceforge was a pretty big target for crackers.

Re:Qui bono?

[dave562]

That was my thought. Everyone talks about how OSS is so secure. If you had a bone to pick with that notion, why not go over one of the highest profile examples of OSS? I'm sure that they're running Apache, right? Probably MySQL too? Surely they aren't hosting their sight on IIS and powering it with Asp.Net, are they?

It would be great if situations like this brought the entire computer using community closer together. The reality is that no matter how epicly great your software might be, there are people out there looking to bring it down. It doesn't matter if you run Microsoft, Apple or OSS. There are bugs in your applications and there are incentives for finding and exploiting those bugs.

Re:possible explanation

[Securityemo]

So, basically, there was no compartmentalization at all (chroot, etc.) between project web pages/data, and as anyone hosted there could upload anything to their web page, it was just a matter of time? How did this not happen earlier, if not through someone just uploading a shell to their own webpage?

Re:Why

[Securityemo]

Have the SF admins been notified of this? And this claim is based on manual binary dissection, not just it tripping AV "behaviour analysis"? And lastly, what are you up to if you're not telling which one?

Re:Qui bono?

[dave562]

It isn't hyperbole when it is trotted out time and time again as one of the benefits of OSS. Stability and Security are two of the corner stones that OSS advocates build their arguments against "closed source" on top of. Some of the others are cost and portability of data.

To say that "nobody" has claimed that Apache is best ever is just as extreme of a statement as the original one I made about "everybody" talking about how secure OSS is.

Re:Attack by prononymous?

[jellomizer]

So if Microsoft and Oracle got attacked we would all be laughing at them and making fun of their poor security. But if SourceForge got attack it is nothing but sympathy. Umm I want to know as an OpenSource Software user... How they were able to break in where was the hole. Should we be worried about our software as well.