Professional Web Applications Themes

GNU software compromised : Cert Advisory - Linux Setup, Configuration & Administration

> Source: CERT/CC > > A complete revision history is at the end of this file. > > Overview > > The CERT/CC has received a report that the system housing the > primary FTP servers for the GNU software project was compromised. > > I. Description > > The GNU Project, principally sponsored by the Free Software > Foundation (FSF), produces a variety of freely available > software. The CERT/CC has learned that the system housing the > primary FTP servers for the GNU software project, > gnuftp.gnu.org, was root compromised by an intruder. The more > common host ...

  1. #1

    Default GNU software compromised : Cert Advisory

    > Source: CERT/CC
    >
    > A complete revision history is at the end of this file.
    >
    > Overview
    >
    > The CERT/CC has received a report that the system housing the
    > primary FTP servers for the GNU software project was compromised.
    >
    > I. Description
    >
    > The GNU Project, principally sponsored by the Free Software
    > Foundation (FSF), produces a variety of freely available
    > software. The CERT/CC has learned that the system housing the
    > primary FTP servers for the GNU software project,
    > gnuftp.gnu.org, was root compromised by an intruder. The more
    > common host names of ftp.gnu.org and alpha.gnu.org are aliases
    > for the same compromised system. The compromise is reported
    > to have occurred in March of 2003.
    >
    > The FSF has released an announcement describing the incident.
    >
    > Because this system serves as a centralized archive of
    > popular software, the insertion of malicious code into the
    > distributed software is a serious threat. As the above
    > announcement indicates, however, no source code distributions
    > are believed to have been maliciously modified at this time.
    >
    > II. Impact
    >
    > The potential exists for an intruder to have inserted back
    > doors, Trojan horses, or other malicious code into the
    > source code distributions of software housed on the compromised
    > system.
    >
    > III. Solution
    >
    > We encourage sites using the GNU software obtained from
    > the compromised system to verify the integrity of their
    > distribution.
    >
    > Sites that mirror the source code are encouraged to verify
    > the integrity of their sources. We also encourage users to inspect
    > any and all other software that may have been downloaded from the
    > compromised site. Note that it is not always sufficient to rely
    > on the timestamps or file sizes when trying to determine
    > whether or not a copy of the file has been modified.
    >
    > Verifying checksums
    >
    > The FSF has produced PGP-signed lists of known-good MD5 hashes of
    > the software packages housed on the compromised server. These
    > lists can be found at
    >
    > [url]ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc[/url]
    > [url]ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc[/url]
    >
    > Note that both of these files and the announcement above are
    > signed by Bradley Kuhn, Executive Director of the FSF, with the
    > following PGP key:
    >
    > pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhnfsf.org>
    > Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41
    > B387 uid Bradley M. Kuhn (bkuhn99)
    > <bkuhnebb.org> uid Bradley M. Kuhn
    > <bkuhngnu.org>
    > sub 2048g/75CA9CB3 1999-12-09
    >
    > The CERT/CC believes this key to be valid.
    >
    > As a matter of good security practice, the CERT/CC encourages
    > users to verify, whenever possible, the integrity of downloaded
    > software. For more information, see IN-2001-06.
    >
    > Appendix A. - Vendor Information
    >
    > This appendix contains information provided by vendors for
    > this advisory. As vendors report new information to the
    > CERT/CC, we will update this section and note the changes in our
    > revision history. If a particular vendor is not listed below,
    > we have not received their comments.
    >
    > Free Software Foundation
    >
    >
    > The current files on alpha.gnu.org and ftp.gnu.org as of
    > 2003-08-02 have all been verified, and their md5sums and the
    > reasons we believe the md5sums can be trusted are in:
    >
    > [url]ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc[/url]
    > [url]ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc[/url]
    >
    > We are updating that file and the site as we confirm good md5sums
    > of additional files. It is theoretically possible that downloads
    > between March 2003 and July 2003 might have been
    > source-compromised, so we encourage everyone to re-download
    > sources and compare with the current copies for files on the site.
    >
    > Appendix B. References
    >
    > * FSF announcement regarding the incident
    > - [url]ftp://ftp.gnu.org/MISSING-FILES.README[/url]
    > * CERT Incident Note IN-2001-06 -
    > [url]http://www.cert.org/incident_notes/IN-2001-06.html[/url]
    > __________________________________________________ _______________
    >
    > The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free
    > Software Foundation for their timely assistance in this matter.
    > __________________________________________________ _______________
    >
    > Feedback can be directed to the author: Chad Dougherty.
    >
    > __________________________________________________ ____________________
    >
    > This doent is available from:
    > [url]http://www.cert.org/advisories/CA-2003-21.html[/url]
    >
    > __________________________________________________ ____________________
    >
    > CERT/CC Contact Information
    >
    > Email: [email]certcert.org[/email]
    > Phone: +1 412-268-7090 (24-hour hotline)
    > Fax: +1 412-268-6989
    > Postal address:
    > CERT Coordination Center
    > Software Engineering Institute
    > Carnegie Mellon University
    > Pittsburgh PA 15213-3890
    > U.S.A.
    >
    > CERT/CC personnel answer the hotline 08:00-17:00
    > EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on
    > call for emergencies during other hours, on U.S. holidays, and on
    > weekends.
    >
    > Using encryption
    >
    > We strongly urge you to encrypt sensitive information sent by
    > email. Our public PGP key is available from
    > [url]http://www.cert.org/CERT_PGP.key[/url]
    >
    > If you prefer to use DES, please call the CERT hotline for
    > more information.
    >
    > Getting security information
    >
    > CERT publications and other security information are available
    > from our web site
    > [url]http://www.cert.org/[/url]
    >
    > To subscribe to the CERT mailing list for advisories and
    > bulletins, send email to [email]majordomocert.org[/email]. Please include in
    > the body of your message
    >
    > subscribe cert-advisory
    >
    > * "CERT" and "CERT Coordination Center" are registered in the
    > U.S. Patent and Trademark Office.
    >
    > __________________________________________________ ____________________
    >
    > NO WARRANTY
    > Any material furnished by Carnegie Mellon University and the
    > Software Engineering Institute is furnished on an "as is"
    > basis. Carnegie Mellon University makes no warranties of any kind,
    > either expressed or implied as to any matter including, but not
    > limited to, warranty of fitness for a particular purpose or
    > merchantability, exclusivity or results obtained from use of the
    > material. Carnegie Mellon University does not make any warranty
    > of any kind with respect to freedom from patent, trademark, or
    > copyright infringement.
    > __________________________________________________ ____________________
    >
    > Conditions for use, disclaimers, and sponsorship information
    >
    > Copyright 2002 Carnegie Mellon University.
    >
    > Revision History
    > August 13, 2003: Initial release
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 6.5.8
    >
    > iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
    > QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+ VsXbXnF5ypE+0r
    > S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY 44clo2VIupgxuZ
    > OeyQrFbsq54=
    > =/72G
    > -----END PGP SIGNATURE-----
    From: "CERT Advisory" <cert-advisorycert.org>
    To: <cert-advisorycert.org>
    Subject: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
    Date: Wednesday, August 13, 2003 7:17 PM



    Ken Kauffman Guest

  2. #2

    Default Re: GNU software compromised : Cert Advisory

    On Wed, 13 Aug 2003 22:22:56 -0400, Ken Kauffman <kkauffmannospam.headfog.com> wrote:
    >
    >
    >> Source: CERT/CC
    >>
    >> A complete revision history is at the end of this file.
    >>
    >> Overview
    >>


    I noticed a M$ weenie posted this. Is it for real?


    Haven't heard a word about it anyplace else.


    Alan C



    Alan Connor Guest

  3. #3

    Default Re: GNU software compromised : Cert Advisory

    On Thu, 14 Aug 2003 04:06:27 +0000, Alan Connor wrote:
    >>> Source: CERT/CC
    > I noticed a M$ weenie posted this. Is it for real?
    > Haven't heard a word about it anyplace else.
    It's real. Heard about it on Slashdot earlier today.

    [url]http://ftp.gnu.org/MISSING-FILES.README[/url]
    [url]http://ftp.gnu.org/MISSING-FILES[/url]

    Ed Murphy Guest

  4. #4

    Default Re: GNU software compromised : Cert Advisory

    |I noticed a M$ weenie posted this. Is it for real?

    It is unfortunately. And apparently it was done by someone who had login
    access to the machine, using a local ptrace exploit in the week before a
    patch was posted.

    |Haven't heard a word about it anyplace else.

    Slashdot among lots of places.

    [Please, no futher crossposts unless you have some info to add.]
    --

    gombvtw@moqphq.com.jb Guest

  5. #5

    Default Re: GNU software compromised : Cert Advisory

    Alan Connor wrote:
    > On Wed, 13 Aug 2003 22:22:56 -0400, Ken Kauffman
    > <kkauffmannospam.headfog.com> wrote:
    >>
    >>
    >>> Source: CERT/CC
    >>>
    >>> A complete revision history is at the end of this file.
    >>>
    >>> Overview
    >>>
    >
    >
    >
    > I noticed a M$ weenie posted this. Is it for real?
    >
    >
    > Haven't heard a word about it anyplace else.
    >
    >
    > Alan C
    I used OE with OE -QuoteFix. Don't be a prick about it. I don't care for
    the way filtering works in PAN when filtering threads by user. It seems to
    strip out part of the thread up to your own name.

    If you had taken two damn seconds to check CERT.org you would have seen it.

    [url]http://www.cert.org/advisories/CA-2003-21.html[/url]

    ken k


    Ken Kauffman Guest

  6. #6

    Default Re: GNU software compromised : Cert Advisory

    On Thu, 14 Aug 2003 04:23:08 GMT, [email]gombvtwmoqphq.com.jb[/email] wrote:
    > |I noticed a M$ weenie posted this. Is it for real?
    >
    > It is unfortunately. And apparently it was done by someone who had login
    > access to the machine, using a local ptrace exploit in the week before a
    > patch was posted.
    >
    > |Haven't heard a word about it anyplace else.
    [url]http://www.cert.org/advisories/[/url]
    >
    > Slashdot among lots of places.
    >
    > [Please, no futher crossposts unless you have some info to add.]
    Bit Twister Guest

  7. #7

    Default Re: GNU software compromised : Cert Advisory

    On Thu, 14 Aug 2003 04:41:02 GMT, Bit Twister <BitTwisterlocalhost.localdomain> wrote:
    >
    >
    > On Thu, 14 Aug 2003 04:23:08 GMT, [email]gombvtwmoqphq.com.jb[/email] wrote:
    >> |I noticed a M$ weenie posted this. Is it for real?
    >>
    >> It is unfortunately. And apparently it was done by someone who had login
    >> access to the machine, using a local ptrace exploit in the week before a
    >> patch was posted.
    >>
    >> |Haven't heard a word about it anyplace else.
    >
    > [url]http://www.cert.org/advisories/[/url]
    >
    >>
    >> Slashdot among lots of places.
    >>
    >> [Please, no futher crossposts unless you have some info to add.]

    Am I understanding this correctly? All anyone has to do to evade this
    cracker's work is to check the md5 sums?

    If so, this isn't a security issue, it is a STUPIDITY issue.

    No one with a lick of common sense installs anything they've downloaded from
    the net without doing that basic test.

    Alan




    Alan Connor Guest

  8. #8

    Default Re: GNU software compromised : Cert Advisory

    Alan Connor wrote:
    > On Thu, 14 Aug 2003 04:41:02 GMT, Bit Twister <BitTwisterlocalhost.localdomain> wrote:
    >
    >>
    >>On Thu, 14 Aug 2003 04:23:08 GMT, [email]gombvtwmoqphq.com.jb[/email] wrote:
    >>
    >>>|I noticed a M$ weenie posted this. Is it for real?
    >>>
    >>>It is unfortunately. And apparently it was done by someone who had login
    >>>access to the machine, using a local ptrace exploit in the week before a
    >>>patch was posted.
    >>>
    >>>|Haven't heard a word about it anyplace else.
    >>
    >>[url]http://www.cert.org/advisories/[/url]
    >>
    >>
    >>>Slashdot among lots of places.
    >>>
    >>>[Please, no futher crossposts unless you have some info to add.]
    >
    >
    >
    > Am I understanding this correctly? All anyone has to do to evade this
    > cracker's work is to check the md5 sums?
    >
    > If so, this isn't a security issue, it is a STUPIDITY issue.
    >
    > No one with a lick of common sense installs anything they've downloaded from
    > the net without doing that basic test.
    >
    > Alan
    You have to have valid MD5sums in the fist place. Since those were
    *also* stored on the servers, they could be at risk.

    *NOW* the FSF is publishing PGP signed lists of MD5sums: I don't believe
    they used to do that. If you know anything about the philosophy of
    Richard M. Stallman, its founder, you realize that Richard does not
    believe that security is a good idea, since it encourages people to
    break in and do damage. So Richard, for many years, never put passwords
    on his logins anywhere he went.

    Note that Richard is a brilliant programmer, and philosophically and
    ethically quite consistent. He thinks that stealing and abuse is
    *wrong*, and believes that by making software wide, wide open to review
    and publication we can build vastly superior software. And he's
    basically been right about that: he just never seemed able to admit that
    some people are complete s and will misuse the freedom to cause
    damage.

    Nico Kadel-Garcia Guest

  9. #9

    Default Re: GNU software compromised : Cert Advisory

    > Am I understanding this correctly? All anyone has to do to evade this
    > cracker's work is to check the md5 sums?
    I think what's happening is: the FSF already has known good md5sums for
    most of the files on their FTP site. By comparing the current files' hashes
    against the known good lists, they can confirm that those files have not
    been tampered with.

    The FSF is also seeking md5sums for files that they _did_not_ have records
    of. They are unsure whether these files have been modified.

    So this business about md5 sums is the FSF verifying the integrity of their
    previously compromised FTP site, to make sure nothing was altered.
    Jem Berkes Guest

Similar Threads

  1. Intel Pro/Wireless 2200BG - impact advisory
    By Greg Askew in forum Windows Vista
    Replies: 1
    Last Post: March 4th, 05:53 PM
  2. 2 domain names, 1 IP, one SSL cert
    By Andy in forum ASP.NET Security
    Replies: 4
    Last Post: December 25th, 06:42 PM
  3. Help - Cert. Services
    By martin in forum Windows Server
    Replies: 0
    Last Post: June 29th, 02:24 PM
  4. ADVISORY: The web forums are not working correctly!
    By Richie Bisset in forum Macromedia Director Lingo
    Replies: 9
    Last Post: October 4th, 02:29 PM
  5. tool for checking compromised box
    By ScruLoose in forum Debian
    Replies: 1
    Last Post: August 3rd, 08:30 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139