By May 21, a working exploit was circulated, and the CVSHome web site was offline. When the site returned to service, it included a warning. “The cvshome site is currently being thoroughly cleaned as a direct result of an exploitative code set that attacks a cvs security violation,” the message read. “The publication of this code makes all sites running cvs with any remote protocol vulnerable.” The intruders apparently used the new vulnerability to crack the server.
CVS is the dominant open source software for version control, which manages development efforts by tracking revisions. As such, it’s a potentially lucrative target for hackers seeking to spread exploits through source downloads and synchronized updates and patches.
In the past year, several open source projects have been targeted by hackers. Last Dec. 2 Gentoo Linux said that a distribution server was compromised by attackers, but the intrusion was detected within an hour. On Nov. 21 the Debian project said four of its servers had been compromised. In each case, project managers expressed confidence that no code had been altered.
Last August, an FTP server used by the Free Software Foundation to distribute open source code was found to have been compromised for at least four months.
Netcraft offers a range of advanced security services, including The Netcraft Network Examination, an automated vulnerability test of Internet-connected networks which checks for new security vulnerabilities and configuration errors caused by system and network maintenance.