

Tell HN: Sourceforge servers compromised - sucuri2

Multiple sourceforge servers were compromised, so treat anything in there as compromised (including files you download, etc).<p>Info:
http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/<p>http://blog.sucuri.net/2011/01/sourceforge-net-servers-compromised.html<p>http://developers.slashdot.org/story/11/01/27/2059200/SourceForge-Down-After-Attack-Updated
======
sucuri2
CLickable:

Info:
[http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27...](http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-
net-attack-update/)

[http://blog.sucuri.net/2011/01/sourceforge-net-servers-
compr...](http://blog.sucuri.net/2011/01/sourceforge-net-servers-
compromised.html)

[http://developers.slashdot.org/story/11/01/27/2059200/Source...](http://developers.slashdot.org/story/11/01/27/2059200/SourceForge-
Down-After-Attack-Updated)

------
bobds
This was posted a few days ago, probably related:

"sourceforge entry point seems still active."

<http://seclists.org/fulldisclosure/2011/Jan/424>

[http://extraexploit.blogspot.com/2011/01/sourceforge-
entry-p...](http://extraexploit.blogspot.com/2011/01/sourceforge-entry-point-
seems-still.html)

~~~
andfarm
As far as I could tell, that post was just about one specific SF project that
had a vulnerable PHP CMS installed on their web space. It's possible that the
more general problem of projects being allowed to install/manage their own
software got leveraged into a larger exploit, though.

------
limmeau
Just yesterday, I checked out the latest version of Spim (9.0, now with Qt
GUI!) from Sourceforge svn. Now I can audit the source, or just hope that
attackers just wouldn't bother installing backdoors in such a minority
program. I think I'll do the latter.

~~~
krakensden
Spim! Nice to hear it's still being worked on.

~~~
limmeau
The Qt GUI is nice; however, what I need more is support for acceptance
testing of programs generated by the students' compilers. I guess I'll just
diff the output of command-line spim like last year.

------
stcredzero
Is there a place where I can see a list of sourceforge project names? I'd
really like to merge that with my list of applications now.

