Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Info on Debian.org Security Breach

Posted by michael on from the inspector-clouseau dept.

mbanck writes "James Troup (part of the Debian System administration team) has published more information on the recent compromise of four debian.org machines. The attack vector seemed to be a sniffed password of an unprivileged account, from which the attacker somehow managed to gain root and install the suckit rootkit and crack the other machines. As the machines were fairly uptodate with respect to security, an as-of-yet unknown local root exploit might be in the wild, so keep an eye on your boxen.Note that the main ftp archive running on a sparc machine was not compromised, so the exploit might not yet be ported to non-i386 architectures."

23 of 545 comments (clear)

  1. I did it! by Anonymous Coward · · Score: -1, Troll

    Yep. All me. Cause i'm FP on slashdot.

  2. Re:I have my erect penis in my hand. by Anonymous Coward · · Score: -1, Troll

    get your hand off it and apologize to the audience!

  3. This isn't surprising.. by Anonymous Coward · · Score: -1, Troll

    This kind of exploitation isn't rare at all. It's what the folks at the Debian project get for not running Windows. If they'd been using Microsoft Windows, they'd be much more secure and something like this couldn't possibly happen.

  4. Re:I have my erect penis in my hand. by Anonymous Coward · · Score: -1, Troll

    Close your eyes and twist.

  5. Re:Boxen.. by core+plexus · · Score: 0, Troll
    Zero Cool and Duke Nukem from the 90's called, they want their boxen back.

    -cp-

    President Bush to Liberate Alaska

  6. I knew it. by Anonymous Coward · · Score: -1, Troll

    I know you weenies like to bash M$, but if you think for one moment UNIX or Linux is more secure then you're all dumber than a cage of monkeys in orbit, which I'm not sure but I think must be very dumb. NOTHING in the history of networked computing has been more insecure than UNIX.

  7. But wait.... by Anonymous Coward · · Score: -1, Troll

    When has windowsupdate ever been compromised? What's that? Never. SUCK IT, fanboys, you make me fucking SICK. Looks like open-sores isn't going to save the world after all...

    1. Re:But wait.... by Anonymous Coward · · Score: -1, Troll

      Windows Update was rooted by Code Red, for one.

  8. Re:KIRK! by Anonymous Coward · · Score: -1, Troll

    This is a pathetic troll attempt, and I hope you remain modded OT as you really don't deserve to be modded Troll. Ooze a condom? Smashed with butt hairs? Dude you're in the junior league, try perfecting your trolling somewhere else before you come here and fight it out with the pros, from the likes of above you haven't even made it in the ring.

  9. Re:A simple disaster-mgmnt starrtegy... by Anonymous Coward · · Score: -1, Troll

    Whatever, fanboy. Just keep telling yourself this.

  10. first post!!! by Anonymous Coward · · Score: -1, Troll
    1VIRII VIRII2 3VIRII VIRII4 5VIRII VIRII6 1VIRII VIRII2 3VIRII VIRII4 5VIRII VIRII6 1VIRII VIRII2 3VIRII VIRII4 5VIRII VIRII6
    WWWWWaWWWWWWWWWWWWWWWWzWWWWWWWWWWWWWWWWWWWWWWWWWWW WWWWWWWWWasdjklcvz
    WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW WWWWWWWWWewquiyrwq WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW WWWWWWWWWxzxzbvxcmn


    jigger my nigger
  11. Already! by Anonymous Coward · · Score: -1, Troll

    This was already posted here...

  12. Awesome cartoon about this by Anonymous Coward · · Score: -1, Troll

    Find it at klerk.ru here.

    Classic!

  13. More info at secforum.com by Anonymous Coward · · Score: -1, Troll

    More information on the exploit, plus exploit code.

  14. Yes, Mr Stallman... we don't need "wheel" by Anonymous Coward · · Score: -1, Troll

    No further comment.

  15. Antifeminists hate Debian by Anonymous Coward · · Score: -1, Troll

    Ever read what they have been saying about security?

  16. Security breach? by Anonymous Coward · · Score: -1, Troll

    This site has more useful information that Slashdot.

    --Tim

  17. Re:One recommendation by gmby · · Score: 1, Troll

    Cut the return transmit wires on the ethernet cable so data only goes one way. No way around that. think you can root a system that's not talking back! ;)

    --
    I don't want a pickle; I just want a Motor-Cycle! A four foot cop arrived with a five foot gun!
  18. Re:What's up with these anti-Linux attacks? by segment · · Score: 2, Troll
    I'm pretty sure that these systems were secured against all known local root exploits; if they weren't, this probably would have happened long ago.

    Apparently not so secure they were now were they.

    So, what's going on here? Are these simply two unrelated attacks? Is it an attempt by an immature highschooler with some cracking talent to boast to his friends "LOL 1 hax0rred debian.org!?" Is it an attempt by some sort of anti-Linux commandoes to undermine Linux's public image? I almost suspect the latter, but the prime suspect there is Microsoft, who have far too much to lose by going that route and plenty of money for traditional FUD that will make it into "traditional" news channels better anyway. SCO might be crazy enough to do it, but they probably wouldn't want to divert resources away from spewing lawsuits at everyone in existence.

    This is the most far out shit I've seen to date and it's sickening to think someone took this bullshit and mod'ed this trollish "Bill Gates hates Linux so much he gcc -o vixie vixie.c ; ./vixie'd kernel dot org" ... Pitiful

    From what I understand of the cracker community, Linux is held in fairly high regard (although I admit I don't try to keep up on the latest in the cracker community).

    FYI if you took some vitamin clue you would know Linux is not that far behind MS on security exploits. Now now now, before the Linux zealots bash get real and look it up. Linux is the second most attacked machine, now you're going to say because it's what the second highest used OS? Let's see, I have about 200k visitors for the month on one of my sites, first place for OS visits MS, second.. OSX you see what I typed there, followed by Linux, sure content wise would make the diff if you want to go there, but you'd be looking for an excuse to justify the shoddy security put into Linux.

    Now I won't go into the BSD's, because I just won't nor will I go into Solaris, but do your homework, Linux `used to be` all that, nowadays I look at it as LiNuX vErSiOn v.666... A toy nothing more and don't even use it anymore, nor will I advocate it. It went from something cool into the new MS'like farce

    You'd think that black-hats, who tend to be rather immature, when armed with a brand new exploit, would attack a site seen by the general public and post goatse.cx images on the front page, rather than subtly changing Debian packages.

    You think about this instead of your lame MS conspiracy theory... If you're an attacker, and wanted to make a name for yourself, you would probably target a heavy site, an entire operating system spread throughout the world, and you would be an underground legend.

    A criminal looking for a backdoor worldwide, and you would be rich. The possibilities are endless. Do you think that a man with so much to lose by committing such an asinine crime as the one you mentioned would stoop so low? You must be smoking oxy with Rush.

    So, who's behind all this?

    Better call my lawyer again before I get blamed for this shit too

    --
    MoFscker
  19. Re:Two useful utilities to flush out the rootkits by Anonymous Coward · · Score: -1, Troll

    Since many of these exploits share common traits, the nero institute created this utility which will scan your boxen for possible security gaps and recommend the appropriate fixes.

  20. Re:I have my erect penis in my hand. by Anonymous Coward · · Score: -1, Troll

    WANK IT

    WANK IT HARD

  21. Re:In a nutshell - somehow by Anonymous Coward · · Score: -1, Troll

    I wouldn't agree - actually this is a total disaster. Imagine there's a big security exploit of OpenSSL or some other package and Deb like others needed to release an update.

    This is a confidence blow to many who hoped Debian could replace Red Hat in non-mission critical enterprise Linux servers.

  22. Re:So much for unbiased Slashdot by cscx · · Score: 0, Troll

    There is a lot of bullshit around here. I've been a proud user of Outlook for about 3 years now (that's 3 versions -- I migrated from Eudora and Netscape Messenger) and I've never had a problem.

    Let's just say I'm happy that Debian refused to install on my firewall box (couldn't see the NIC card -- sheesh!) -- It's running brand spankin' new OpenBSD 3.4, an upgrade from 3.3. It's nice not to have to worry :)