[svlug] Fwd: Re: Debian servers "hacked"?
Karsten M. Self
kmself at ix.netcom.com
Mon Nov 24 01:34:18 PST 2003
on Sun, Nov 23, 2003 at 11:22:25PM -0500, George Georgalis (list-svlug-sender-19fa62 at lists.galis.org) wrote:
> I'm a bit disturbed about the lack of communication following the
> compromise of key debian hosts.
Front page Slasdot story notwithstanding:
Debian Project Servers Compromised
Debian Technology/IT Security Software
Posted by jamie on 05:33 AM November 21st, 2003
Some Debian Project machines have been compromised. This is a very
unfortunate incident to report about. Some Debian servers were found
to have been compromised in the last 24 hours. The archive is not
affected by this compromise! In particular the following machines
have been affected: 'master' (Bug Tracking System), 'murphy'
(mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us,
web search, www-master). Some of these services are currently not
available as the machines undergo close inspection. Some services
have been moved to other machines (www.debian.org for example). The
security archive will be verified from trusted sources before it
will become available again.
...which includes a link to the initial announcement:
- Four hosts, providing a number of services, including mailing lists,
- The archives _don't_ appear to be compromised.
- The method hasn't been disclosed, but widely circulating rumors are
that it was an account hijacked via password intercept. Developer
passwords and ssh authorized keys have been revoked.
- The servers are coming back online slowly. Mailserver had to be
rebuilt. From what I've read, current timeline is Mondayish,
barring surprises. This is unnofficial. The usual Debian response
to schedules holds; When It's Ready[tm].
Yes, getting a prominant message on the main Debian.org website would be
useful. I imagine people have their hands busy ATM.
Fact remains: the project was compromised, appears to have been
discovered within a matter of days, immediately secured (by taking
servers offline), word was distributed as soon as a clear assessment was
available (sooner might have been useful, but we're talking a matter of
hours at most -- I was on #debian IRC during much of this period). And
a full disclosure of methods, systems compromised, risks, and
mitigations, has been and is being presented. If only elections or
accounting operated as transparently.
Expect more details as they come available, including mainstream
coverage at The Register and other IT news sites.
...which turns up:
Debian Servers Hacked
By Jim Wagner
November 21, 2003
Some services provided by the servers have been mirrored at other
sites, but Schulze told internetnews.com he doesn't expect the
original machines to be running before Monday, with the possible
exception of the security.debian.org and master servers.
...and provided through the #debian IRC support channel (irc.debian.org
Several Debian project machines been compromised recently. These
webpages serve central location where information regarding this
incident is kept.
The compromise was announced on November 21.
You can use the links in the navigation box on the top left to get
> The compromise(es) seem to have taken place about the same time or
> before a series (~50?) of urgent woody update announcements (no I
> didn't check if there where or the validity of pgp sigs, by bad, but
> the 'control of secrets' aspect could even make those checks
Debian 3.0r2 was planned for (and did) release this weekend. Again,
you'll find that the InterWeb has details at the usual sites.
> Below is a post I sent yesterday to the debian-security lists.
Downed. murphey and the main Debian mx, gluck, were both involved.
See above for details.
Karsten M. Self <kmself at ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
TWikIWeThey: An experiment in collective intelligence. Stupidity. Whatever.
Technical docs, discussion, reviews, opinion.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20031124/9dfb7ce2/attachment.bin
More information about the svlug