[Bf-committers] WordPress compromise affecting Blender.org sites

Danny McGrath dan at blender.org
Mon Mar 15 09:19:30 CET 2021


It would appear that our WordPress blogs at www.blender.org, as well as the
open movies etc, were compromised. The known list of affected sites, which
shared a common vhost, are:

  - www.blender.org
  - apricot.blender.org
  - code.blender.org
  - cycles-renderer.org
  - durian.blender.org
  - gooseberry.blender.org
  - mango.blender.org
  - orange.blender.org
  - peach.blender.org

It would appear that the access was rather limited; root access to the host
was not observed, nor did the permissions of the web server logs allow

Many WordPress accounts have been disabled, where appropriate, and had
their passwords randomized, as some of you may have already seen. For some
of you that forgot about these accounts, it may be a shock that they still
even existed!

The source and release checksums were checked against their local copies,
but we have no indications that anything beyond the www host was accessed
at this time, and have doubts that any of the code was tampered with, but a
more thorough audit would have to make such a determination.

More details will of course follow as they present themselves, but in the
meantime we put up a static HTML version of www and put the rest of the
WordPress stuff into indefinite maintenance mode until we decide where to
go from here.


Danny McGrath - dan at blender.org - www.blender.org
System Administrator at Blender
GPG key: 0x696871CA

More information about the Bf-committers mailing list