[svlug] Fwd: Re: Debian servers "hacked"?

George Georgalis list-svlug-sender-19fa62 at lists.galis.org
Sun Nov 23 20:22:25 PST 2003


I'm a bit disturbed about the lack of communication following the
compromise of key debian hosts. The compromise(es) seem to have taken
place about the same time or before a series (~50?) of urgent woody
update announcements (no I didn't check if there where or the validity
of pgp sigs, by bad, but the 'control of secrets' aspect could even make
those checks questionable).

Below is a post I sent yesterday to the debian-security lists. One of
my hosts was able to download several updates from security.debian.org
before it went offline, post compromise announcement. I have received a
message from some debian server that says my message is in a queue but
not yet delivered.  So, we have an announcement that key debian servers
are compromised, which came right after a ton of update announcements,
updates from security.debian.org before it went off line, and an admin
(maybe a few) wondering about the integrity of recent update packages,
meanwhile the debian discussion lists seem to have been shut down.

Now, security.debian.org seems to have come back and my initial doubt
regarding integrity of packages, is replaced by a sense of urgency to
gamble these updates are valid and truly urgent. What I would really
appreciate is some open discussion about what is going on!

// George



----- Forwarded message from George Georgalis <george at galis.org> -----

Date: Sat, 22 Nov 2003 02:32:45 -0500
From: George Georgalis <list-svlug-sender-19fa62 at lists.galis.org>
Subject: Re: Debian servers "hacked"?
To: debian-security at lists.debian.org

On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote:
>On Friday 21 November 2003 13:18, Thomas Sj?gren wrote:
>> On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote:
>> > http://luonnotar.infodrom.org/~joey/debian-announce.txt
>>
>> Read that a minute ago, but what happended?
>
>Thats ATM unknown. It seems, that nobody (except the bad boys) has access to 
>the boxes. But there are ppl on the way to catch local access. Thats all I 
>heared.

I thought it was odd there where ~50 urgent security updates all in one
evening.

One of my computers managed to pull several deb updates before
security.debian.org was taken off line:

# ls -1 /var/cache/apt/archives/
bsdutils_1%3a2.11n-7_i386.deb
console-data_1999.08.29-24.2_all.deb
debianutils_1.16.2woody1_i386.deb
lock
mount_2.11n-7_i386.deb
nano_1.0.6-3_i386.deb
partial
procmail_3.22-5_i386.deb
procps_1%3a2.0.7-8.woody1_i386.deb
util-linux_2.11n-7_i386.deb
zlib1g_1%3a1.1.4-1.0woody0_i386.deb

So, are these compromised updates or urgent patches? I'm guessing the
former...

// George


-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 646-331-2027    <IXOYE><
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 


----- End forwarded message -----

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 646-331-2027    <IXOYE><
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 





More information about the svlug mailing list