The FreeBSD team has announced over the weekend that two machines within the FreeBSD.org cluster have been compromised and have been consequently pulled offline for analysis.
Security team said on Saturday. "The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution,". However it added that the intruder had sufficient access to modify third party packages, many of which are compiled and installed through FreeBSD's ports system.
Audits have been performed to verify the infrastructure and source trees are clean and the suspect machines "are either being re installed retired, or thoroughly audited before being brought back online," the cluster administration team said.
The FreeBSD Project was gearing up for the FreeBSD 9.1 release, however as it is unable to verify the integrity of the package set, that has been removed and will be rebuilt prior to the release.
The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.