OCaml Forge

Forum: recent-reboot-explained--the-forge-has-been-compromised

Posted by: Sylvain Le Gall
Date: 2014-10-23 22:53
Summary:Recent reboots explained: the forge has been compromised
Project:Site Admin

Earlier today, I was connected while the Forge was under heavy load. This has often been the case before most of the recent reboot.

This time I was able to identify the process causing the problem and stop it early.

Unfortunately, an intruder was able to exploit shellshock through gitweb.cgi. This means that the attacker was able to run a process on the server as www-data for a few hours.

I have studied the script used and it is a IRC server in Perl. I think the main goal of the server was to attack other computers. I am not sure that any files were compromised. The script has been removed and my security tool (rkhunter) cannot find any other problems. I have upgraded the system to squeeze-lts to fix the shellshock CVE.

The following script can test the files, that have been uploaded to the forge, against what is currently on the server (see the link).

AFAIK, none of my tarball have been changed.

Please check your files as well and contact me if you find any problems.

Sorry for the inconvenience
Sylvain Le Gall

Use this command to run the script:
$> ocaml download-test.ml */dist/*.tar.gz


Latest News

Deprecating the Forge in 2017

Sylvain Le Gall - 2016-12-30 23:55 -

Forge migration to a new host, done

Sylvain Le Gall - 2016-10-14 06:42 -

Forge migration to a new host, now

Sylvain Le Gall - 2016-10-13 21:27 -

Forge migration to a new host, delayed

Sylvain Le Gall - 2016-10-09 23:27 -

Forge migration to a new host during the weekend

Sylvain Le Gall - 2016-10-08 08:53 -

Discussion Forums: recent-reboot-explained--the-forge-has-been-compromised

Monitor Forum | Start New Thread Start New Thread