SourceForge shell server back up after security breach

A shell server for popular Open Source project hosting site SourceForge is back on line after a security breach a week ago, caused by a staff member logging in from a compromised Internet service provider.

SourceForge.net, which estimates it hosts about a third of all Open Source projects, fell victim to a cracker who gained root access to the site’s shell server May 22, says Patrick McGovern, site director. But the site’s staff noticed the breach that same day, and the only damage was the time and effort needed to fix the problem, which left the shell server off line for nearly a week, McGovern says.

SourceForge staff emailed about 2,200 users who accessed the shell server for several hours surrounding the time of the security hole and asked them to change their passwords. Slashdot posted a copy of the letter SourceForge sent to those users.

McGovern says he’s confident the problem has been corrected, but if users are concerned their accounts have been compromised, or have other security questions, they should email support@sourceforge.net.

“We’ve checked everything out, made sure things were OK, and cleaned up the system,” McGovern says. “On SourceForge, security is a very high priority for us. We wanted to make sure we were active and letting our users know what was going on.”

The site itself wasn’t off line during the repairs of the shell server, and users were still able to get to their project information through Web browsers. While there was potential for damage while the cracker had root access, the SourceForge team didn’t find damage beyond the initial security compromise, McGovern says.

“We just wanted to be extra careful and do the right thing to make sure there was no chance that any additional compromise would happen,” he adds. “We were able to shut [the cracker] down pretty quickly.”

The breach happened when one of the members of SourceForge’s staff used an Internet service provider that had been compromised and logged into the shell server from that machine, using the same password. “There was no inherent problem with the infrastructure of the site, other than a password issue that was hacked,” McGovern says.

SourceForge, which like NewsForge is part of the Open Source Development Network, has more than 180,000 registered users and hosts more than 21,000 Open Source projects.