The Gentoo Project was forced to pull the plug on major section of it’s website as soon as they found out that the systems were vulnerable to a command injection attack. This vulnerability might let an attacker remotely execute commands on the compromised servers.
Many users trying to access Gentoo Archives and other 7 areas of gentoo.org are welcomed with a message of unavailability. The Gentoo administrators were urged to take the servers offline in order to prevent further exploits and to allow forensic analysis.
The words "further exploitation" and "forensic analysis" suggest the server was pwned, but Gentoo assures us the damage was minimal.
"There was no possibility of any leak of personal or meddling with the Gentoo Portage tree," Mike Doty, a member of Gentoo's Infrastructure team, said in an emailed statement. "The attack was limited to one service on one server."
Members intend to rebuild the server and will also perform a security audit on source code for packages.gentoo.org, which is the service containing the injection vulnerability. According to this advisory, the vulnerability allows the remote execution of code by attaching a semicolon to the end of the URL, immediately followed by the command an attacker wants to run. The bottom of the page will then display the output of that command.
Gentoo's advisory comes a week after Ubuntu unplugged five of its eight production servers following the discovery they had been so badly compromised that they were being used to attack other sites. Turns out the systems, which were sponsored by Canonical and hosted by the community, were running an old version of Ubuntu.
Other Gentoo sites and services being shuttered included packagestest.gentoo.org, scripts.gentoo.org, archivestest.gentoo.org, kiss.gentoo.org, stats.gentoo.org and survey.gentoo.org. Gentoo wouldn't estimate when it will have them back online.
