Hackers break into two FreeBSD Project servers using stolen SSH keys

Users who installed third-party software packages distributed by FreeBSD.org are advised to reinstall their machines

Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project's security team warned.

Intrusions on two machines within the FreeBSD.org cluster were detected on Nov. 11, the FreeBSD security team said Saturday. "The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution," said a message on the project's public announcements mailing list.

The two compromised servers acted as nodes for the project's legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website.

The incident only affected the collection of third-party software packages distributed by the project and not the operating system's "base" components, such as the kernel, system libraries, compiler or core command-line tools.

The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.

Even though the team did not find any evidence of the third-party software packages being modified by the hackers, they cannot exclude this possibility.

"We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors," the team said. "Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources."

The package sets currently available for all versions of FreeBSD have been validated and none of them have been altered in any way, the team said.

As a result of the incident, the FreeBSD Project plans to speed its process of deprecating legacy distribution services, like those based on CVSup, in favor of the more robust Subversion system. The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.

This is not the first time an open-source software project had to deal with an intrusion because of compromised SSH authentication keys. In August 2009, the Apache Project was forced to shut down its primary Web and mirror servers after discovering that hackers used an SSH key associated with an automated backup account to upload and execute malicious code on some of the servers.

"This is a hearty reminder that a chain is only as strong as its weakest link," said Paul Ducklin, the head of technology for Asia Pacific at antivirus vendor Sophos, in a blog post Sunday. "In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access -- whether those are servers, laptops or even mobile devices."

Join the PC World newsletter!

Error: Please check your email address.

Tags sophosApache Project was forced to shut down its primary Web and mirror serversintrusionsecurityAccess control and authentication

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Deals on PC World

Deals on PC World


Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs


Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?