+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: General Stuff (https://www.linux-noob.com/forums/forum-4.html)
+--- Forum: Linux News (https://www.linux-noob.com/forums/forum-67.html)
+--- Thread: Hackers Hit Apache.org, Compromise Passwords (/thread-482.html)
Hackers Hit Apache.org, Compromise Passwords - anyweb - 2010-04-14
The Apache Software Foundation reports that it was hit earlier in April by a sophisticated attack that compromised user passwords.
Hackers launched a multistage, targeted attack against the Apache Software Foundation's infrastructure April 5 that compromised user passwords.
According to the foundation, the hackers took advantage of an XSS (cross-site scripting) vulnerability using a shortened URL to target the server hosting issue-tracking software for the open-source group's projects. The foundation uses a donated instance of Atlassian JIRA to track issues and requests, and hosted the instance on brutus.apache.org, running Ubuntu Linux 8.04 LTS.
"If you are a user of the Apache-hosted JIRA, Bugzilla or Confluence, a hashed copy of your password has been compromised," the foundation said in an April 13 statement on the Apache Infrastructure Team blog. "JIRA and Confluence both use a SHA-512 hash, but without a random salt. We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords."
The statement continued, "Bugzilla uses [an] SHA-256, including a random salt. The risk for most users is low to moderate, since prebuilt password dictionaries are not effective, but we recommend [that] users should still remove these passwords from use.
more > http://www.eweek.com/c/a/Security/Hackers-Hit-Apacheorg-Compromise-Passwords-896918/
Hackers Hit Apache.org, Compromise Passwords - Dungeon-Dave - 2010-04-22
Peculiarly, it seems IE8 helped with compromising!
http://www.theregister.co.uk/2010/04/20/microsoft_ie_xss_fix/