Gentoo rsync Server Compromised [updated] 600
costela writes "LWN points out that the Gentoo project
fired out an alert about one compromised rsync server." From the message itself: "However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected." Update: 12/03 22:54 GMT by T : One more damage report: gibson writes "The Free Software Foundation recently discovered that its software host site was compromised a month ago. The compromise appears to be the same as the recent attacks on the Debian servers. The site is shut down until Friday while they install replacement hardware and verify the authenticity of the hosted source code."
well... (Score:5, Insightful)
Exactly. (Score:5, Funny)
Now consider what would happen if the Windows update service was compromized and hackers managed to get past Microsoft's tight security. These update servers could be used for WMD's (Windows Massive Disruptions)...
Re:well... (Score:5, Insightful)
Re:well... (Score:5, Interesting)
Re:well... (Score:5, Insightful)
Somebody mod that tinfoil-hat-wearing parent post up.
Download gentoolkit and emerge from a current server and validate the checksum. Manually build them. Then emerge sync. Then emerge -u world. Anything less is just trusting that the attackers couldn't cover their tracks well.
Re:well... (Score:3, Informative)
emerge sync doesn't touch emerge. Basically, all emerge sync does is get a listing of the Portage tree and fetch the latest ebuilds, and delete whatever is old. The only thing emerge sync does in relation to emerge itself is tell you that a new version is available if there is one.
Re:well... (Score:4, Insightful)
I hate to respond to such a silly flame - but this is really unfounded.
The parent's attitude hardly reflects that of most people running gentoo. A simple browse of the gentoo forums would demonstrate this.
How exactly is gentoo harming linux anyway? Because some idiot compromises a server? A server whose admins apparently knew what they were doing and had it offline within an hour? Whose admins were thoughtful enough to have significant IDS capabilities installed so they can verify that the whole portage tree is still intact? Last time I checked, the FSF wasn't able to do that in a few hours, and I'd hardly argue that they're doing linux a disservice!
Re:well... (Score:5, Interesting)
However, the compromised system had both an IDS and a file integrity checker installed
The file integrity checker will have provided a list of the files that changed and if emerge was compromised then Gentoo would have let you know. After all, they haven't kept the compromise quiet so presumably they are informing users to let them know the Gentoo are on top of things.
Re:well... (Score:3, Insightful)
This being the same file integrtity checker that alerted the sys admins to the compromise in the first place? If you are good enough to compromise Tripwire or AIDE or whatever then you are good enough to hide the fact that you have done it, not remove some logs install a rootkit then get found out by th
Re:well... (Score:3, Interesting)
Now, you want to compromise every gentoo box on the planet? Edit any ebuild you want to add your compromise. Make it break out of the gentoo sandbox and erase that system straight from the ebuild. Or make it install a tainted binary. Whatever, just be sure to re-hash your ebuild in the Manifest, and wait for some poor suckers to download it. Given the frequency with which gentooer's rsync, t
Re:well... (Score:3, Interesting)
You make it sound so easy. Just "break out" of the sandbox and erase the system. No system is ever going to be 100% secure, but things like sandboxing make it safer. I'll take my chances with Gentoo. The RPC exploits alone have convinced me to never even look at a Windows box again. It's just too much hassle.
Re:well... (Score:3, Informative)
So, yes, changes in the source rsync tree would trickle down to all the mirrors. It wouldn't actually compromise those servers, in the root-on-the-box sense, but they would be serving compromised data.
All this bad news. (Score:5, Interesting)
A conspiracy theorist could have a field day..
Now where did I put my tin-foil hat?
Re:All this bad news. (Score:4, Interesting)
A conspiracy theorist could have a field day..
Is it sad the first thing that crossed my mind was "lots of well-timed security breaches... Microsoft may be behind them all"? ;)
Re:All this bad news. (Score:5, Funny)
Come on. Do you really think Microsoft knows that much about security?
Re:All this bad news. (Score:2, Interesting)
Also, what does SCO have to do with the Debian Server compromise? those are two TOTALLY different subjects. You can't group them all in the same "bad news" categories! One has
Re:All this bad news. (Score:4, Insightful)
Yes, I can. Both give Linux a negative image to people that aren't as clued in about this sort of thing, which is were Linux needs the most support.
Re:All this bad news. (Score:5, Funny)
Re:All this bad news. (Score:5, Insightful)
Uh....Ok. I'll bite. Top three theories about why all the Linux bad news.
Number 3: Some companies that got in early on are outgrowing their business models and thus adapting.
Number 2: Some companies with REALLY flaky software and business models are trying to figure out how to use other peoples superior software to increase their own revenue.
The number 1 reason....: How much fun can it possibly be to say "I did a google search on Windows Exploits and owned 1000 boxen in just under an hour" as opposed to " I heard about an SSH2 compromise and searched for 2 weeks and found an affected system, gained access. Found another program with an exploit kit, eventually gained root. All in all it took a week."
Re:All this bad news. (Score:3, Informative)
There's your 1000 rooted boxes, and I didn't even need to do it myself.
YAW.
How do they know? (Score:2, Insightful)
IANAH (hacker), but isn't the first thing you do when you break into a system to 'fix' the logs?
How can they guarantee the tree hasn't been affected? Compare it with another copy?
Re:How do they know? (Score:5, Informative)
Re:How do they know? (Score:4, Informative)
Do you mean that people don't use line printers any more???!!? Back in the good old days, (not really) we'd have the computer print the diffs of any files that ever changed on the system in real time!
Re:How do they know? (Score:3, Insightful)
Re:How do they know? (Score:3, Insightful)
Re:How do they know? (Score:3, Insightful)
In addition, they can just rsync the portage stored on that box to another to see if any changes were made.
Re:How do they know? (Score:3, Informative)
One makes hashes of each file and stores them on a non-networked system and/or read-only media. Then periodically runs a check (hopefully from a statically linked binary that is also on RO media) on the files and compares the hashes.
If they match (and any number of other conditions are met, like the machine and the media the hashes were stored on are physically secure, etc.) you can say with reasonable certainty that the files are unmole
Faking a forensic trail would make little sense... (Score:3, Insightful)
Yes, but I think SOP would be to do a little Jedi handwaving "There was no breach". So if they have a good forensic trail, it's either a) real or b) fake. But why create a fake one, if they could have erased it properly? The only reason would be to hope that the box would be apparently fixed, but in reality still rooted. However, as the article said, after the investigation is done it'll be wiped and rebuilt, w
Re:How do they know? (Score:5, Insightful)
Seperate Log Server (Score:5, Informative)
If you really have a serious system where you want detailed logs you keep the logs for that system off that machine. Sure the machine that is logging could have been comprimized as well but that is twice as much work. Now you have to hack the machine but also the logger to erase the intrusion event.
In fact one of the things I've seen done is that events are logged on the machine and the logger. The idea was to provide not only redundant logging but also provide a front for hackers. A hacker would see the local logs and be too busy doctoring up those logs to check to see if there is an external logger.
In any event, the logging Gentoo did looks complete enough. They claim only 20 users did a sync against the server during the hour it was online and comprized.
Pointy-Hat theory time.. (Score:4, Insightful)
Re:Pointy-Hat theory time.. (Score:5, Insightful)
Or (C) None of the above. To want to crack something you don't need to hate it (or to be paid to hate it). The possibility of finding vulnerabilities is tantalizing enough on its own. To crack something that big would be a major black-hat ego trip, don't you think?
Re:Pointy-Hat theory time.. (Score:2)
Well, everytime there's a major windows exploit you always hear "blah blah, Linux, blah blah BSD, blah blah OSX." Maybe the hackers are just looking for a new way to prove their "l33t h4x0r1ng sk1llz."
-sam
Re:Pointy-Hat theory time.. (Score:5, Insightful)
Hypocrisy alert (Score:4, Insightful)
I've pointed out before that Windows is way more widespread than Linux, and so is more attacked and vulnerable, but then zealots come on and say Apache is the most-used on the net and yet not the most breached. But to this [about.com], it's already the most-breached operating system.
Hoot and holler about the reasons all you want, but them's the facts.
We REALLY, REALLY need to stop with the "Linux is invincible, Windows sucks" attitude. It's flat-out not true, and it's severely holding the community image back in the minds of the rest of the rational computing world who just uses what they use to get the job done and don't treat operating systems like religious belief systems.
Re:Hypocrisy alert (Score:3, Interesting)
I really don't want to be a smartass here but could this be a case of the pot calling the kettle black? You don't seem at all Overly Critical when something bad happens to Windows. Indeed, your posting history is largely criticisms of Linux. I could exchange every instance of Windows and Linux in a typical posting of yours and you would come off exactly like one of the "Linux religious fanatics" you claim to be above.
You also seem to t
Deliberate attacks? (Score:5, Interesting)
Once is happenstance, twice is coincidence, three times is some one playing silly buggers.
(Kernel.org, debian.org, gentoo.org - all in the same two months?)
Re:Deliberate attacks? (Score:2)
Re:Deliberate attacks? (Score:4, Interesting)
Whoever is behind this is showing off for sure.
Re:Deliberate attacks? (Score:3, Funny)
How about spammers? (Score:5, Interesting)
OSS machines, however, are a much more reliable computing environment, meaning that any trojans are actually like to work, and work well. And I'd also wager that many OSS machines are used AS firewalls or bastion machines, and if compromised are easily accessable for spamming or use as stepping stones to other machines. And many of these machines are always on -- you don't have to worry about lack of reliability from disabled machines.
This makes more sense to me than any other conspiracy.
Time to Switch to Debian (Score:5, Funny)
Debian, Gentoo.... who's next? (Score:5, Insightful)
First Debian, now Gentoo... Slackware perhaps? Maybe install a spam-bot on a knoppix image?
Re:Debian, Gentoo.... who's next? - OpenBSD ??? (Score:5, Interesting)
In fact, just last year ftp.openbsd.org did get compromised [internetnews.com]!
GAAAAH!!!! (Score:2, Funny)
Today, I decided that I wasn't entirely happy with Debian, and so I have Gentoo stage3 LiveCDs sitting on my desk, ready for an install when I get home...
Maybe someone should start working on Desktop OpenBSD. :-P
On the bright side... (Score:5, Interesting)
... they DO have records of what was done and were able to isolate it pretty quickly. IMHO, that's probably saved them a lot of trouble.
Whether it's because the cracker was sloppy or inexperienced, or because the Gentoo team have good server security, I can't say - but it seems they were pretty lucky compared to Debian.
What baffles me is why crackers go after targets like this. I can understand anticapitalist stuff, but my intuition says someone trying to crack a *nix server and damage a distro must have detailed knowledge of *nix systems - and is therefore likely a user of an OpenSource operating system.
Is that guess a little too far off base? If so, what's your take?
Re:On the bright side... (Score:5, Insightful)
Because some individuals are asshats, that's why. You could create the cure for cancer and some asshole would try to shoot it down just because it's there. After all, we are the same species that nailed some poor bastard to a cross just because he said we should all get along for a change.
Re:On the bright side... (Score:5, Informative)
Why do they do this? Because they can. Personally, I blame that darn rap music.
Linux vs M$ breakins. (Score:5, Insightful)
Re:Linux vs M$ breakins. (Score:3, Insightful)
Re:Linux vs M$ breakins. (Score:5, Funny)
Firstly, get used to it (Score:5, Interesting)
To those who aren't intentionally trying to troll.. and computer journalists;
Yes, Linux servers can be compramised.
No, the sky is not falling.
No, it's not the end of Linux or open source.
How about a logging trail (Score:5, Interesting)
Anything in these logs on the source of the hacks? Probably another hacked machine, but perhaps it can be traced to a source.
Also, in any package that were compromised or attempted at, what is being inserted? Perhaps we can use it as a honeypot to catch a hacker?
Perhaps 2.4.23 should have a kernel allowance for a log that tells when somebody was trying to use the =2.4.22 exploit (or does it)?
Re:How about a logging trail (Score:5, Informative)
It doesn't have, but would be trivial to implement. Here is my suggestion how a patch [daimi.au.dk] for that should look (untested):
This reminded me that.... (Score:2, Funny)
leads... (Score:3, Insightful)
-The Big Lebowski
Seriously though, I would hope that organizations like Debian or Gentoo would have the brain power and tech resources to find a few leads that results in arrests. But why do I doubt that anyone will ever be arrested for any of these types of attacks?
'Cause of the 'severity' (Score:5, Insightful)
PS, full props for the Lebowski quote!
Why is this not on front page of Gentoo's site? (Score:2)
Silver Lining... (Score:2)
so what was the remote exploit that was used? (Score:2, Redundant)
Information wants to be free. (Score:4, Interesting)
Diff it against what's out there now and we're only a quick trip to http://arin.net/whois from knowing who it was . .
-Peter
Re:Information wants to be free. (Score:3, Informative)
DARL! Turn that computer off and go to bed! (Score:3, Funny)
You just wait until your father gets home!"
gpg sign the bloody emerge files? (Score:4, Insightful)
You take the keys of the developers [or even a cvs key] and then sign all the emerge files. There are only like 2000 new ones a day so at about 50ms a signature [for a really slow box] that's only 100 seconds of time [two minutes not much].
That way if the end user downloads compromised emerge files they could detect them.
Damn... I'm like a genius.
Re:gpg sign the bloody emerge files? (Score:4, Informative)
What OS was the compromised box running? (Score:5, Interesting)
While it may run Gentoo, it is not stated as such, and could be very well be something else.
Re:What OS was the compromised box running? (Score:3, Interesting)
A Netcraft search for rsync.gentoo.org [netcraft.com] shows more than one server. Two of them run Gentoo, two run Red Hat, one runs Debian, three run unknown Linux, and one runs FreeBSD (some of the servers are listed twice). There are more servers (14, if one is to believe 'host rsync.gentoo.org|wc -l'), but Netcraft is only interested i
Not as big as previous posters make it sound. (Score:5, Informative)
It was not their server that was compromised, just a third party server in a round robin rotation. They don't own it, they don't maintain it - just someone else who donated server space.
The primary or master server is not accessible to users, it was not compromised, and so none of the original source files had a chance to be changed.
Only the 20 users that synchronized to this server even have a tiny chance of getting bad files. Having everyone sync now that this server is out of the rotation will immediately fix the problem.
Full disclosure 24 hours later. I give them a lot of credit for such a quick response and disclosure. This is very, very minor.
~J
Here's what real security looks like (Score:5, Insightful)
Gentoo had "ductile" security. They were able to limit the damage because they had some kind of Tripwire/mtree-like program running on the inside. Given the speed of the response, my guess is that they had a response plan ready to go.
The lesson is that measures to limit the damage from a break are as vital as measures to prevent breaks in the first place. Fire prevention doesn't substitute for sprinkler systems, and intrusion prevention doesn't substitute for backups. You've got to have both.
Conspiracy, FUD, and Open Source (Score:5, Interesting)
OSS advocates love to hate Windows
OSS advocates gloat when a new hole turns up in Windows
OSS advocates point to the number of worms, virus, etc in Windows and say, "Never us"
Then several OSS distros have a security breach in a short space of time.
OSS advocates respond with "Must be a conspiracy against us by some evil entity", "Hey, look how quick we caught it", "It would have been much worse with Windows".
Time to face facts gents. Windows is attacked FAR more than OSS. Why? Well, yes, it is full of holes. But downtown Philly is riddled with abandoned houses with no locks on the doors but they never get broken into. Why? No value in doing so. Not enough damage, headlines, misplaced glory, etc. But the main reason is that it is the dominant OS out there. I fear that we will see more and more attacks against OSS with it's growing popularity. If we all get our wish and 'nix takes over Windows dominant market position and is running on 90% of desktops, you will most likely find it a target for constant attacks like Windows has now.
We all know in order for 'nix to make it to the desktop, it has to become WAY more user friendly. Can't have Grandma trying to recompile the kernel now can we? User friendly unfortunately translates into users being able to do things that comprise security. Like opening attachments, downloading Trojans, etc. Then the great security built into the OS goes right out the window. no pun intended).
So before you all start crying about conspiracies, et al, just remember that we all may be victims of our own push to make the 'nix stuff more popular. By bragging about how secure it is, we just may be attracting the type of attack that is more sophisticated then the script kiddies attacking Windows. I imagine it's cool to brag to your friends that you broke into a Windows box. I imagine it's much cooler to brag that your rooted a Linux distro. Badge of honor and all that.
Re:Conspiracy, FUD, and Open Source (Score:5, Insightful)
I'm going to disagree with the absolute statement that this isnt Microsoft's fault. I agree that the design of Windows not taking into account network security issues at it's inception is not their fault. it wasn't on the radar as an issue facing personal computers when windows was originally written.
However, building products you are going to market as a server that don't take into account network security is absolutely their fault.
Building applications that are designed to be used across a network (like IE and Outlook) and not seriously considering the security threat to the system that they create is their fault. Actively adding features to those applications that hamstring any attempt to secure the machine is their fault.
Claiming your stuff is secure while trying to crush anyone who exposes that it isnt; that's their fault too.
So there's plenty of security related issues with Microsoft that absolutely are their fault.
Gandma and gradpa will not compile the kernel. They will use the standard upgrade path of binary packages. They will trust the source computer has not been compromised as Microsoft users trust the Microsoft site is not compromised.
This is a great reason why security issues with computers used in the upgrade path should be disclosed quickly and the clean up process should be transparent.
The honesty of OSS groups to disclose information about vulnerabilities is one of it's strengths.
Gentoo! (Score:5, Funny)
With apologies to Torne, from whom I stole this quote.
When, not if (Score:5, Insightful)
IDS is placed on a system to follow an attack. Audit trails [busan.edu] on sensitive machines reveal all commands executed, to the detail you desire.
Here is the point. Bruce Schneier says that the important part of security is not that you were compromised, but rather that you can react within a time frame to keep the damage to acceptable levels. If you can tolerate having your system compromised for weeks, don't invest in a lot of security. The short response time (2 hours at 11pmEST) here indicates that the Gentoo administrators care about responsiveness enough to check on it frequently.
When the CVS gateway to Bitkeeper on the Linux Kernel was compromised, the developers of Bitkeeper were able to show that they care enough about security that they invested in many checks and balances that caught the error immediately. Since then, Bitkeeper developers, interested in protecting their good reputation (which is VERY difficult to replace), are considering even more drastic measures.
As a bonus, some cracker spent a good few days or weeks writing this exploit. We get to keep it and deploy the solution with little hassle. And the compromised system, because good security practices are in place, was mitigated to minimize damage.
Read Schneier's book Secret and Lies [schneier.com] to find out how security is really a process. Yes, I know it's a plug, but I just thought the book hit-home to the real point - "When, not if" you get compromised.
Several other posts here hint that the world will think less of Linux for this. False. True CIOs should see that Linux has the tools to completely identify and contain attacks. Every CIO knows attacks cannot be stopped, but rather they must be contained to acceptable levels.
Debian vs. Gentoo... (Score:3, Insightful)
Good luck catching your buglar. I want to know how to patch my box.
Look at this in a positive way (Score:4, Insightful)
Let's face it, no OS is 100% secure. Operating Systems that are more secure than others still need to be on their toes. One security exploitation on a Linux box can still be as dangerous as a thousand (an underestimated ratio I'm sure) exploitations on a Windows box. However, I will take the body of security knowledge surrounding an OS to be as valuable as the initial security design principles in the OS in the first place; with that in mind, many Open Source OS's come out looking pretty good. I trust the Linux community to grind down and fix security problems and not sit around and emphasize the numerous security in a Microsoft product. If you're concerned, then help out developers by testing the software and reporting bugs. You could even code a few patches yourself, that being the whole point of community-based development.
Whether or not there is a deep and dark plot to root big Linux boxes is irrelevant. This is another opportunity to demonstrate the Open Source community's response to security issues to the rest of the computing community. If the heat is really on and this is not just another artifact of news gatekeepers getting over-zealous on a trend, then so be it. It is an opportunity to review and evolve Linux's security as well as the security processes that surround it.
One of the things I admire most about Linus Torvalds is his steadfast commitment to the quality of his product. It is a commitment that is focused on constant improvement, not PR damage control. I'm sure the real security guru's are sitting with a bit more comfort knowing their servers are running Linux.
Disclaimer: This post contains no constructive content whatsoever, swallow two tablespoons of salt and call me in the morning.
I'm reminded of a cliche... (Score:3, Interesting)
For all of you that are curious, this isn't a BSD troll (although it could be...).
My point here is that whenever a larger *NIX server is broken in to, there are ALWAYS people that comlain about "the insecurity of *NIX". Well, when ONE large *nix server is broken in to, it makes it to the front page of slashdot, whereas blaster/sobig/etc usually get a story or two.
This is where the quote above comes into play.
Linux might look insecure, but that's because we usually hear about breakins on a 1 server basis. When we here about Windows, it's usually in the HUNDREDS OF THOUSANDS (if not more). If there was a slashdot story for every one of THOSE servers, then it would appear the way it actually is.
The real question is... (Score:5, Funny)
Savannah.gnu.org was hit as well (Score:5, Interesting)
On December 1st, 2003, we discovered that the "Savannah" system, which is maintained by the Free Software Foundation and provides CVS and development services to the GNU project and other Free Software projects, was compromised at circa November 2nd, 2003.
Tripwire / AIDE (Score:3, Insightful)
From the Gentoo Altert:
Gentoo realized that they got hacked after one day.
GNU Savannah realized that they got hacked after one month.
It's time to propagate the use of file integrity checkers! They can detect the effects of any new exploit and can't be circumvented (when properly used!).
AIDE [sourceforge.net]
Tripwire [sourceforge.net]
I'm going to get trolled for this... (Score:3, Interesting)
Kernel.org, debian.org, gentoo.org Gnu.org All of them had security holes and now those holes are plugged.
I used to run a few servers. Mostly web-servers, but I had a few for mail and other things. Almost every single one was hacked all in the same 2 month period. I had kept up with updates and I figured I was secure. If I wasn't hacked I would have never known that I wasn't secure and I could have been seriously screwed down the line. It was a much needed eye opener.
rsync security update (Score:3, Informative)
I was going to post it here, but the moronic lameness filter won't let me. So you'll need to look at rsync.samba.org [samba.org].
Re:Wanna bet... (Score:5, Interesting)
Re:Wanna bet... (Score:5, Informative)
Re:windowsupdate.microsoft.com Breakins? (Score:5, Funny)
Because we wouldn't have time for all of the other news.
Re:windowsupdate.microsoft.com Breakins? (Score:3, Insightful)
Honest answer (Score:3, Informative)
During an oddly-underpublicized security Webcast Monday, Microsoft revealed that hackers subject the company to 2500 to 3000 electronic attacks every day, or over 100,000 a month. Yet despite this massive number of attacks, the last successful intrusion occurred over three years ago, during the infamous October 2000 security breach. But the software giant says the biggest security risk to the company isn'
Re:The only reason this is news... (Score:2, Interesting)
Get your facts right:
"Linux [about.com] is successfully compromised more than any other operating system". Mostly due to people setting it up straight out of the red box without adequately Reading The Fine Manual.
Re:The only reason this is news... (Score:3, Insightful)
Do worms count as a comprimise? I can't see any possible way that you couldn't count them, and I can't see any possible way that linux would have more comprimises in a year than any of the latest worms would generate in a month.
Re:The only reason this is news... (Score:5, Informative)
So anyways, they did not count (most) worm incidents, as they would happen on non-server windows machines.
That does not mean that Linux boxen should not have better default security settings, of course.
Re:The only reason this is news... (Score:5, Insightful)
facts are tricky like that:
"We don't know how many total servers the numbers were gathered from or what percentage of those servers is Linux vs. Windows, etc. It is safe to say that these results are true for the servers they monitor, but the percentages may not be true for all servers across the globe."
while there certainly exist a large number of linux machines that have been compromised, i can't imagine the number of infected linux machines is anywhere near that of the win32 systems infected by blaster/welchia/code red/nimda/sql slammer/klez/dumaru/sobig/etc. in the same time frame. i suppose the counting in this case depends quite a bit on the counter's definition of "compromised."
Re:The only reason this is news... (Score:5, Insightful)
damn microsoft bashing wannabee
Re:The only reason this is news... (Score:5, Informative)
But the server is down and will be scrubbed and re-sync'd, just to be safe
Re:The only reason this is news... (Score:5, Insightful)
Since Gentoo doesn't have a "THE" source code repository, I'm afraid you've got some facts to get straight, Herr Coward.
The mirror had read-only rsync access to Gentoo's primary (US) mirror. Even if the tree were compromised, the changes could not propagate into the main tree. For that, one would require CVS access to the CVS repository, against which the primary rsync server is synchronized.
This was only posted as a matter of keeping our user community, and the OSS community as a whole informed.
Also, I believe the announcement gave mention of it, but the Portage tree on the primary mirror was re-created from the CVS repository immediately upon being notified that a mirror was compromised. Within 30 minutes, every Gentoo rsync mirror had a fresh copy of the tree automatically (as stated by Gentoo rsync mirror policy, mirrors are updated every 30 minutes in order to remain on the official rotation).
Sorry for the confusion, all, but there's really nothing to see here. But it was good clamouring practise for when/if a real Gentoo server is compromised. ;)
Re:The only reason this is news... (Score:4, Insightful)
Ever looked at the amount of incomming traffic when you're online? Ever considered where the amount of you are getting is mainly comming from?
Unless they get windows.update, I am not concerned at all.
Well, start worring right now. How big do you consider the chance that your vendor tells you about that? They don't even tell you about problem in your OS they know about for months before some exploit is published in the wild.
I do share your concern about trusting the source of your software, but even with these compromises i'd trust Debian and Gentoo more that a big company that has a huge interest in hiding problems like that.
There is no solution to this problem, other then writing all your software yourself. The thing that comes the closed to that, while being still practical, is and open development model where a lot of people are reviewing the source for mistakes and/or malware.
Re:"Reasonably Confident"? (Score:2)
Re: (Score:3, Insightful)
Re:So... (Score:5, Funny)
"Ah, but Gentoo's root exploit was compiled from source, so Gentoo got rooted 0.000000124% faster than Debian!"
Ah well, I like Gentoo myself. It is quite fun.
Re:Question from non-hacker (Score:3, Informative)
The old adage goes something like: the only safe computer is unplugged, encased in concrete, and buried at a radioactive waste site.
It sounds like the admins at this place were doing a good job, hence catching the break-in in 1 hour and having a log trail of what happened. The interesting thing will be when they find out the exploit used to get in. The Debian rooting caused a new kernel version, because the flaw was found to be in the Linux kernel. Hopefully
Re:Question from non-hacker (Score:5, Informative)
1. Buffer overflows, or out of bounds issues, with services running on a server, eg ftpd, httpd, sendmail, bind (dns). This is where it is discovered to be possible to send malformed data to a service which the service is not expecting and wont deal with naturally. This sometimes results in the ability to send it some executable code which is read straight into memory and executed. Very easy to code around, very easy to detect, fairly easy to detect and very easy to exploit. This is the sort of attack that normally occurs against MS Windows et al, although sendmail, bind and various ftpds (wu-ftpd) have a reputation for being full of them.
2. Password sniffing. This is where someone sits between a user and their box and sniffs network traffic, etiher getting a password unencrypted (normal ftp login, pop3 etc etc) or a weak hashed. Fairly easy to do, and you have a login to the system when you do. Not normally seen these days as ssh is used, and you should always have a seperate restricted user login for other services which do not encrypt passwords (imap, pop3, ftp etc).
3. Issues with web scripts, that sometimes allow you to insert data into a database which the owner doesnt want you to do (or get a copy of his database) via SQL Injection attacks. Also it has been fairly common in the past to be able to get a copy of
The biggest problem these days is that a lot of services run as root, because they need to to bind to ports lower than 1024. This was done so it allows you to "trust" services on those ports as being proper ones, rather than ones run by a normal user. A way around this is to run all services as a standard user, on port ranges above 1024 and bound only to IP 127.0.0.1. This means that your services are no longer on the standard ports, but you can get around this by using ipfilter, pf or another port fordwarding tool to forward all traffic on external priviledged ports to the services on 127.0.0.1, allowing you to run services as non priviledged users while retaining compatability with the outside world.
It is VERY difficult to secure a server to near 100% levels, although you can get pretty close if you want to constantly be working at it. The goalposts change rapidly from day to day, and it can be hard to keep up. If you only run the services you really need, in chroot environments, and ensure that those services are well known services (apache for httpd, exim postfix or qmail for smtpd, pure-ftpd or pro-ftpd for ftpd, DJBDNS or bind 9 for dns) then you can be assured that there are trusted people looking at the source for exploits to fix as well as the untrusted people doing the same to exploit.
Good logging firewall rulesets, an IDS (intrusion detection system), and a remote logging facility are all plusses in the fight.
Re:How to fix it? (Score:4, Insightful)
Two compromises, both cought within an hour and with no (absolutely none) adverse effects on the users - there is just not much room for improvement here, this is what good security is.