According to the infrastructure team at the Apache Software Foundation, attackers compromised a server at hosting company SliceHost, and used it to open a new issue on the Apache issue tracking server at brutus.apache.org. They submitted an issue with an error that included a tinyURL.com-shortened link, which redirected back to the Apache installation of the Atlassian JIRA issue tracking software.
The attackers had crafted a cross site scripting attack at that URL, designed to steal the session cookie from the user logged into the issue tracker.
"When this issue was opened against the infrastructure team, several of our administrators clicked on the link", said the infrastructure team in a blog post. "This compromised their sessions, including their JIRA administrator rights."
This attack was complemented by a group force password attack against the JIRA login page. Using these attacks, the attackers gained administrator privileges on a JIRA account, turned off notifications for a project, and changed the path used to upload attachments. They uploaded an attachment that was used to browse and copy the file system. "They also uploaded other [Java Server Pages] files that gave them backdoor access to the system using the account that JIRA runs under," the team explained.
By sending password reset emails to members of the Apache infrastructure team, the attackers were able to harvest passwords on administrator accounts, one of which was the same as the password to a local user account on the issue tracking server with full access to the sudo program, which allows users to run programs with root access. From there, they were able to compromise the main shell server, although they were unable to escalate privileges using compromised accounts.
"We started moving services to a different machine, thor.apache.org", said the infrastructure team. "The attackers had root access on brutus.apache.org for several hours, and we could no longer trust the operating system on the original machine."
Although Atlassian responded quickly to reports of the cross site scripting flaw and issued patches, the Apache team lamented what it says was a lack of responsiveness on the part of SliceHost. "Two days later, the very same virtual host (slice) attacked Atlassian directly", it said.