Just a quick heads-up: This morning we noticed some odd activity on cvs.zope.org that looked like someone had broken into the machine. We have shut the machine down completely and are in the process of installing new drives and doing a fresh install from the ground up. Then we will start restoring the data from the old drives. We're trying to get at least the basic services (ViewCVS site, CVS anonymous pserver access) up and running by tonight. Migrating the privileged user information to allow checkins will probably be done tomorrow. The collector.zope.org web site, which was served from the same machine, will probably end up being integrated into www.zope.org tomorrow and cease to exist as a separate Zope instance. jens
Jens Vagelpohl wrote:
This morning we noticed some odd activity on cvs.zope.org that looked like someone had broken into the machine. ... The collector.zope.org web site, which was served from the same machine, will probably end up being integrated into www.zope.org tomorrow and cease to exist as a separate Zope instance.
I'd like to make a request. If evidence reveals that {cvs,collector}.zope.org *was* compromised, then would ZC kindly consider making all 'security' bugs in the collector public? The reasoning being that there is little point behind hiding potential security problems from the zope community if the blackhat community has already obtained the details. That said, any status on getting the collector back up? -- Jamie Heilman http://audible.transient.net/~jamie/
On Tuesday 21 October 2003 18:08, Jens Vagelpohl wrote:
Just a quick heads-up:
Then we will start restoring the data from the old drives.
That makes me nervous. How will you know that the sources in cvs havent been compromised? -- Toby Dickenson
Toby Dickenson wrote That makes me nervous. How will you know that the sources in cvs havent been compromised?
Surely people can compare checkouts of the various branches (2.6, 2.7) against downloaded tarballs? We can't do the same with TRUNK, but that should be still possible to check against, say, a 2.7 beta. Anthony -- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.
Toby Dickenson wrote That makes me nervous. How will you know that the sources in cvs havent been compromised?
Surely people can compare checkouts of the various branches (2.6, 2.7) against downloaded tarballs? We can't do the same with TRUNK, but that should be still possible to check against, say, a 2.7 beta.
I have checkouts of just about every branch ever + the head in a couple of places - based on those, nothing untoward appears to have happened to the source tree. Everyone with a product or other code in that cvs should do a check to make sure, but given that we caught the intrusion almost immediately and that the attacker's methods were rather unsophisticated, I think the risk is pretty low. Brian Lloyd brian@zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com
participants (5)
-
Anthony Baxter -
Brian Lloyd -
Jamie Heilman -
Jens Vagelpohl -
Toby Dickenson