[svlug] Fwd: Re: Debian servers "hacked"?

[Karsten M. Self]

on Sun, Nov 23, 2003 at 11:22:25PM -0500, George Georgalis (list-svlug-sender-19fa62 at lists.galis.org) wrote:

> I'm a bit disturbed about the lack of communication following the
> compromise of key debian hosts. 

Front page Slasdot story notwithstanding:

    Debian Project Servers Compromised
    Debian Technology/IT Security Software
    Posted by jamie on 05:33 AM November 21st, 2003
    http://slashdot.org/article.pl?sid=03/11/21/1314238

    Some Debian Project machines have been compromised. This is a very
    unfortunate incident to report about. Some Debian servers were found
    to have been compromised in the last 24 hours. The archive is not
    affected by this compromise! In particular the following machines
    have been affected: 'master' (Bug Tracking System), 'murphy'
    (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us,
    web search, www-master). Some of these services are currently not
    available as the machines undergo close inspection. Some services
    have been moved to other machines (www.debian.org for example). The
    security archive will be verified from trusted sources before it
    will become available again.
    
...which includes a link to the initial announcement:

    http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt


Basic story:

  - Four hosts, providing a number of services, including mailing lists,
    were compromised.

  - The archives _don't_ appear to be compromised.

  - The method hasn't been disclosed, but widely circulating rumors are
    that it was an account hijacked via password intercept.  Developer
    passwords and ssh authorized keys have been revoked.

  - The servers are coming back online slowly.  Mailserver had to be
    rebuilt.  From what I've read, current timeline is Mondayish,
    barring surprises.  This is unnofficial.  The usual Debian response
    to schedules holds;  When It's Ready[tm].


Yes, getting a prominant message on the main Debian.org website would be
useful.  I imagine people have their hands busy ATM.

Fact remains:  the project was compromised, appears to have been
discovered within a matter of days, immediately secured (by taking
servers offline), word was distributed as soon as a clear assessment was
available (sooner might have been useful, but we're talking a matter of
hours at most -- I was on #debian IRC during much of this period).  And
a full disclosure of methods, systems compromised, risks, and
mitigations, has been and is being presented.  If only elections or
accounting operated as transparently.

Expect more details as they come available, including mainstream
coverage at The Register and other IT news sites.



Also:

...GIYF:

    http://www.google.com/search?q=debian+hacked


...which turns up:

    Debian Servers Hacked
    By Jim Wagner 
    November 21, 2003

    http://news.earthweb.com/dev-news/article.php/3112551

    Some services provided by the servers have been mirrored at other
    sites, but Schulze told internetnews.com he doesn't expect the
    original machines to be running before Monday, with the possible
    exception of the security.debian.org and master servers. 
    

...and provided through the #debian IRC support channel (irc.debian.org
or irc.freenode.net):

    http://www.wiggy.net/debian/

    Several Debian project machines been compromised recently. These
    webpages serve central location where information regarding this
    incident is kept.

    The compromise was announced on November 21.

    You can use the links in the navigation box on the top left to get
    more information.

    http://www.wiggy.net/debian/status/
    http://www.wiggy.net/debian/developer-securing/


> The compromise(es) seem to have taken place about the same time or
> before a series (~50?) of urgent woody update announcements (no I
> didn't check if there where or the validity of pgp sigs, by bad, but
> the 'control of secrets' aspect could even make those checks
> questionable).

Debian 3.0r2 was planned for (and did) release this weekend.  Again,
you'll find that the InterWeb has details at the usual sites.

> Below is a post I sent yesterday to the debian-security lists. 

Downed.  murphey and the main Debian mx, gluck, were both involved.

See above for details.


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  TWikIWeThey: An experiment in collective intelligence.  Stupidity.  Whatever.
    Technical docs, discussion, reviews, opinion.
      http://twiki.iwethey.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20031124/9dfb7ce2/attachment.bin