ioquake3 Security Notice 06/13/19: Test Builds Possibly Compromised

Summary:

As an initial notice, I want to warn ioquake3 players and server operators that precompiled test builds downloaded from our website may have been compromised. Please do not use or run an ioquake3 test build until we provide new builds for download. This post will be updated and a new notice will be provided on this site. ioquake3 builds compiled from source or provided by distributions should be safe to use so long as they did not redistribute our test build binaries. I have no evidence that the ioquake3 test builds were compromised but I am alerting the community out of an abundance of caution.

Issue:

On 06/12/19 I became aware of high CPU usage on our Jenkins server. Jenkins is the software that builds our test builds and does some basic testing of each new merged commit to our GitHub repository. It appears that an outdated Jenkins install and plugins were at least exploited to install some form of cryptocurrency mining malware.

What is Jenkins?

The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.

What are Cryptocurrencies?

They are a garbage libertarian fantasy of money without responsibility or governance (except by the rich who control these pseudo currencies) and should be thrown into the sea because they waste more electricity than some countries use at a time when we need less consumption of scarce resources to prevent climate change.

What I will do:

The test build page has already been modified to provide no links to download the test builds. The Jenkins server has been shut down. The test builds will be thrown out and replaced once a new Jenkins server is operational, the server the Jenkins user is running on will be reformatted and reinstalled from scratch, this will cause some outages for these services:

  • The ioquake3 master server
  • The official ioquake3 game server
  • The discord <-> irc bridge bot
  • The wiki site, wiki.ioquake3.org
  • Jenkins, of course

As far as I know, nothing was done besides mining for cryptocurrencies, but I am going to reformat the server that was running these processes and I am warning users and server operators out of an abundance of caution.

Thank you

Thanks to Daniel Beck from the Jenkins team for helping to resolve this issue.

Join the discussion at discourse.ioquake.org