[Haskell-cafe] Status update on {code, trac, projects, planet, community}.haskell.org

Wed Feb 16 03:12:20 CET 2011

On Wed, 2011-02-02 at 01:33 +0000, Duncan Coutts wrote:
> All,
> 
> As you will be aware, some of the *.haskell.org websites have been down
> recently, specifically:
> 
> code.haskell.org
> trac.haskell.org
> projects.haskell.org
> planet.haskell.org
> community.haskell.org

[...]

> We have not yet re-enabled user login accounts, nor re-enabled access
> to code repositories. We will send a further update when these are
> re-enabled, or procedures for people to re-enable them are finalised.

Logging in
==========

We have restored ssh logins for around 250 user accounts (ie darcs push
will work).

If you are not one of those 250 and you cannot log in then you will need
to email support at community.haskell.org. Give your real name, your unix
user name and attach your current ssh public key.

Once you have logged in
=======================

Personal webspace
-----------------

public URL: http://code.haskell.org/~$username/
server-side: ~/public_html(-disabled)

You will notice that your ~/public_html directory has been renamed to
~/public_html-disabled. There is a slim possibility that the data was
altered when the server was compromised. We recommend that you check it
first and then to restore use: mv ~/public_html-disabled ~/public_html

Code repositories
-----------------

public URL: http://code.haskell.org/$projname/
server-side: /srv/code/$projname/
or: /srv/srv-from-nun/code/{checked-failed,checked-strayfiles}/$projname/

Similarly, many code repositories (44) have not been re-enabled. Ones
that we could check automatically have already been restored. 

If the /srv/code/$project directory for your project is empty or missing
then you will find it in one of the directories
in /srv/srv-from-nun/code/, either checked-failed/ if "darcs check"
failed on that repository, or in checked-strayfiles/ if the repository
contains extra unrecorded files that we could not check automatically.

You should check that you are satisfied that the repository contains
just what you expect and then email support at community.haskell.org to ask
for it to be moved back to the usual location.

Project websites
----------------

public URL: http://projects.haskell.org/$projname/
server-side: /srv/projects/${projname/
or: /srv/srv-from-nun/projects/$projname/

If the /srv/projects/$project directory for your project is empty or
missing then will find the project website
in /srv/srv-from-nun/projects/$project.

You should check that you are satisfied that the website directory
contains just what you expect and then email
support at community.haskell.org to ask for it to be moved back to the
usual location.

Explanation
===========

We believe that when the server was compromised, the attacker was mainly
interested in collecting usernames and passwords. Since we do not use
password based logins, we think the attacker was not successful in this.
However we are unable to trust any of the ~/.ssh/authorized_keys because
the attacker could have modified them to give access at a later date.

We were able to verify the ~/.ssh/authorized_keys for around 250 users
by comparing the current file against the key that was originally
submitted in the account creation request. People who have added keys or
changed keys since initial account creation have not had their login
access restored and they must resend their current key.

For html, css, javascript files etc, there was the slight concern that
the attacker may have defaced sites or made malicious files available
for download. While we have not found any instance of this so far, we
need the help of project owners to check this.

Duncan
(On behalf of the Haskell infrastructure team)