Tech Industry

Apache site defaced in "embarrassing" hacker attack

Intruders deface the main Web site of the Apache Web server project this week with a fake ad for a rival software package from Microsoft.

Intruders defaced the main Web site of the Apache Web server project this week with a fake ad for a rival software package from Microsoft.

A group of intruders broke into the server by exploiting a series of weaknesses, said Rasmus Lerdorf, a member of the Apache Software Foundation board of directors and a programmer at Linuxcare. The intruders limited themselves to inserting the Microsoft advertisement at the bottom of the page, though they could have done much worse damage because they had gained complete control over the computer, he said.

Because of the comparatively mild damage and the fact that the intruders told Apache how their attack worked, Apache termed them "white hats"--helpful hackers, not the more malicious "black hat" category.

"They seemed friendly," Lerdorf said. "It would have been nice if they hadn't put the damned Microsoft logo up, but I guess they had to do something to get attention."

The burgeoning number of computers on the Internet is vastly increasing the opportunity for attackers looking for sites to break into. At the same time, those computers also are storing more important information, such as credit card numbers or corporate records.

Apache is software used on a server to deliver Web pages to Internet browsers. It's the most commonly used Web server software, running on 60 percent of Web servers, according to a study by Netcraft. Microsoft's Internet Information Server is in second place with 21 percent.

Apache, along with Linux, is among the best-known "open-source" programming projects, in which anyone may see, modify and redistribute the software's original programming instructions. Open-source projects typically are developed by a core group of volunteers, but corporations are increasingly involved as well. IBM and Sun Microsystems in particular have boosted Apache.

The basic problem at Apache was that too many people could install whatever software they wanted on the server, leading to vulnerabilities that stemmed from the different pieces of software interacting, Lerdorf said. "We just had too many people installing too many services on the box without coordinating with each other," Lerdorf said.

Apache now has shut down two vulnerabilities that led to the attack and has reduced the number of people who have control privileges, he said. In the longer term, Apache will be splitting jobs across several servers, a configuration that allows better security, Lerdorf said.

In a note posted to the Bugtraq security mailing list today, the intruders described how they broke into the server.

Lerdorf said the first stage was that members of the public could store software on the server after sending it with FTP software. The attackers used this feature to save a small program on the machine that later could be used to tell them what files were stored elsewhere on the system.

The intruders then discovered the server had the Bugzilla bug-tracking software produced by Mozilla, the organization building America Online's Netscape Web browser. A weakness in Bugzilla allowed the attackers to gain complete control over the system, Lerdorf said.

Apache shut down Bugzilla completely and will either fix it or replace it with other software, he said.

Lerdorf put a good face on the defacement. "We can only blame ourselves," Lerdorf said. "It's quite embarrassing, but it's a good little heads-up."