The FreeBSD Security team has announced that two machines in the FreeBSD.org cluster had been compromised and had been taken down for analysis.
The intrusion was announced today, November 17, but it was detected on November 11. Besides the two affected machines, a large portion of the remaining infrastructure was also taken offline as a precaution.
The FreeBSD developers haven’t found any signs of tampering that would put users at risk, but they’ve decided to let people know so they can get the proper precautions.
FreeBSD Security recommendations:
• If you use the already-deprecated cvsup/csup distribution mechanisms, you should stop now.
• If you were using cvsup/csup for ports, you should switch to portsnap(8) right away. Ports developers should be using Subversion already. Further information on preferred mechanisms for obtaining and updating the ports tree can be found at http://www.freebsd.org/doc/handbook/ports-using.html
• If you were using cvs/anoncvs/cvsup/csup for src, you should consider either freebsd-update(8) for signed binary distribution or Subversion for source. Please see the chapter on updating FreeBSD from source in the handbook. Further details on using Subversion and a list of official mirrors can be found at http://www.freebsd.org/doc/handbook/svn.html
• If you use portsnap(8), you should portsnap fetch && portsnap extract to the most recent snapshot. The most recent portsnap(8) snapshot has been verified to exactly match the audited Subversion repository. Please note that as a precaution, portsnap(8) updates have been suspended temporarily.
• Follow best practice security policies to determine how your organization may be affected.
• Conduct an audit of your system that uses FreeBSD.org provided binary packages. Anything that may have been installed during the affected period should be considered suspect. Although there is no evidence of any tampering of any packages, you may wish to consider rebuilding any affected machine from scratch, or if that is not possible, rebuild your ports/packages.
The security breach was probably made on September 19, and it was due to the leak of an SSH key from a developer who legitimately had access to the machines in question.
Check out the Security Incident on FreeBSD Infrastructure website for more information about the breach.