[Maintainers-news] Development Server Compromised
maintainers-news at drupal.org
maintainers-news at drupal.org
Wed Nov 4 02:39:59 UTC 2009
On Tuesday, November 3rd, it was discovered that scratchvm.drupal.org, used
for testing Drupal infrastructure upgrades, was compromised by a brute force
attack on a weak account password. The attacker was NOT able to achieve root
access to the server. However, to ensure the continued security of user
accounts, the Infrastructure Team has revoked passwords for Drupal CVS
accounts and for Infrastructure Team members. If you do not have CVS access,
and are not a member of the Drupal Infrastructure Team, YOU MAY IGNORE THIS
EMAIL. Likewise, if you have a CVS account which is no longer in use, you can
ignore this email and your account will remain securely locked out.
-------- CVS ACCOUNT PASSWORDS
-----------------------------------------------
A mirror of the Drupal CVS repository was stored on the compromised server.
This included secure hashes of CVS passwords. While it is extremely unlikely
that CVS accounts could be compromised, passwords have been revoked as a
precaution. To reset your CVS account password:
1) Log in to your user account at http://drupal.org/
2) Click on "My account" in the navigation block.
3) Click the "Edit" tab for your account.
4) Click the "CVS" sub-tab under "Edit".
5) Enter a new password, and click "Save".
6) Wait AT LEAST 30 MINUTES before attempting to use your CVS account. This
time is needed for the CVS server to synchronize your password.
If you cannot access your CVS account after following these steps, please
file a support request in the Drupal infrastructure issue queue:
http://drupal.org/project/issues/infrastructure
-------- DRUPAL INFRASTRUCTURE TEAM PASSWORDS
--------------------------------
Stored Subversion credentials are stored in clear-text, and were potentially
exposed to the attacker. By default, your username and password would be
stored for any protected subversion server accessed from scratchvm, such as
svn.drupal.org. While it is unlikely that the attacker accessed Subversion
passwords, in order to protect your account, infrastructure.drupal.org
passwords have been revoked. To reset your Infrastructure Team password:
1) Browse to https://infrastructure.drupal.org/user/password
2) Enter your user name or email address.
3) Follow the instructions sent to your email to use the one-time login
link.
4) Reset your password with a different password then what you previously
used.
5) If you have Subversion access, WAIT AT LEAST 30 MINUTES before accessing
your Subversion account. This time is needed for the Subversion server to
synchronize your password.
If you cannot access your Subversion account after following these steps,
please file a support request in the Drupal infrastructure issue queue:
http://drupal.org/project/issues/infrastructure
-------- USERS OF SCRATCHVM.DRUPAL.ORG
---------------------------------------
If you accessed a protected SVN server other than svn.drupal.org, or used
other programs which saved passwords in clear-text, it is recommended that
you change your password for those services.
More information about the Maintainers-news
mailing list