Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gentoo rsync Server Compromised [updated]

Posted by timothy on from the debian-parallel dept.

costela writes "LWN points out that the Gentoo project fired out an alert about one compromised rsync server." From the message itself: "However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected." Update: 12/03 22:54 GMT by T : One more damage report: gibson writes "The Free Software Foundation recently discovered that its software host site was compromised a month ago. The compromise appears to be the same as the recent attacks on the Debian servers. The site is shut down until Friday while they install replacement hardware and verify the authenticity of the hosted source code."

47 of 600 comments (clear)

  1. The only reason this is news... by An0maly · · Score: 0, Insightful

    The infrequency of linux/unix box break-ins is what makes this newsworthy. we all know that for every 1 linux/unix box that is compromised, there are a whole slew of windows machines.

    --
    "...if you don't like your job, you don't strike. You just go in every day and do it really half-assed..." -Homer
    1. Re:The only reason this is news... by Anonymous Coward · · Score: 1, Insightful

      Wow. A post even a Linux zealot would blush at. Of course one could argue that there is a whole slew more Windows machines to be broken into. Either way your post is really scary.

    2. Re:The only reason this is news... by kayen_telva · · Score: 5, Insightful

      no, its news because a very popular linux dist has been hacked which could effect a lot of people. that = news

      damn microsoft bashing wannabee

    3. Re:The only reason this is news... by NialScorva · · Score: 2, Insightful

      also because there's something there to comprimise. If I crack gramma's win98 machine, there's not a lot I can do with it except use it as a relay to attack spamhause.

      Do worms count as a comprimise? I can't see any possible way that you couldn't count them, and I can't see any possible way that linux would have more comprimises in a year than any of the latest worms would generate in a month.

    4. Re:The only reason this is news... by htmlboy · · Score: 5, Insightful
      Get your facts right:
      "Linux is successfully compromised more than any other operating system". Mostly due to people setting it up straight out of the red box without adequately Reading The Fine Manual.

      facts are tricky like that:
      "We don't know how many total servers the numbers were gathered from or what percentage of those servers is Linux vs. Windows, etc. It is safe to say that these results are true for the servers they monitor, but the percentages may not be true for all servers across the globe."

      while there certainly exist a large number of linux machines that have been compromised, i can't imagine the number of infected linux machines is anywhere near that of the win32 systems infected by blaster/welchia/code red/nimda/sql slammer/klez/dumaru/sobig/etc. in the same time frame. i suppose the counting in this case depends quite a bit on the counter's definition of "compromised."
    5. Re:The only reason this is news... by Blkdeath · · Score: 5, Insightful
      As well, this isn't "just another exploit for Explorer/Windows/Linux/whatever," this is someone gaining access to THE source code server. I don't seem to recall too many stories where MS had their main code repository compromised, do you?

      Since Gentoo doesn't have a "THE" source code repository, I'm afraid you've got some facts to get straight, Herr Coward.

      The mirror had read-only rsync access to Gentoo's primary (US) mirror. Even if the tree were compromised, the changes could not propagate into the main tree. For that, one would require CVS access to the CVS repository, against which the primary rsync server is synchronized.

      This was only posted as a matter of keeping our user community, and the OSS community as a whole informed.

      Also, I believe the announcement gave mention of it, but the Portage tree on the primary mirror was re-created from the CVS repository immediately upon being notified that a mirror was compromised. Within 30 minutes, every Gentoo rsync mirror had a fresh copy of the tree automatically (as stated by Gentoo rsync mirror policy, mirrors are updated every 30 minutes in order to remain on the official rotation).

      Sorry for the confusion, all, but there's really nothing to see here. But it was good clamouring practise for when/if a real Gentoo server is compromised. ;)

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

    6. Re:The only reason this is news... by AVee · · Score: 3, Insightful

      Really? How does a windows machine being compromised effect me?

      Ever looked at the amount of incomming traffic when you're online? Ever considered where the amount of you are getting is mainly comming from?
      Unless they get windows.update, I am not concerned at all.

      Well, start worring right now. How big do you consider the chance that your vendor tells you about that? They don't even tell you about problem in your OS they know about for months before some exploit is published in the wild.

      I do share your concern about trusting the source of your software, but even with these compromises i'd trust Debian and Gentoo more that a big company that has a huge interest in hiding problems like that.
      There is no solution to this problem, other then writing all your software yourself. The thing that comes the closed to that, while being still practical, is and open development model where a lot of people are reviewing the source for mistakes and/or malware.

  2. well... by neo8750 · · Score: 5, Insightful

    who didn't see this coming? I use gentoo and i figured it was a matter of time before someone did this. I mean haveing a central tree is cool but it does make it more of a target for attacks. I am however glad to see that they took precautions.

    1. Re:well... by ballyn · · Score: 5, Insightful

      Luckily this "central tree" is actually a distributed mirror, so a simple emerge sync will get your portage tree back in shape if you're one of 20 or so people who happened to sync to this server after it was compromised...

    2. Re:well... by KentoNET · · Score: 2, Insightful

      The rsync servers are, indeed, mirrors. The mirrors are load balanced through the use of a DNS round robin. The cvs.gentoo.org machine propagates the portage tree throughout the rotational rsync mirrors, so any portage tree attack would need to be taken either on most of the rsync mirrors or on the cvs machine. This single attack (had anything actually happened) only affected 20 users.

      --
      "You tried your best and failed miserably. The lesson is...never try. Heh!" -Homer
    3. Re:well... by Theatetus · · Score: 4, Insightful

      Somebody mod that tinfoil-hat-wearing parent post up.

      Download gentoolkit and emerge from a current server and validate the checksum. Manually build them. Then emerge sync. Then emerge -u world. Anything less is just trusting that the attackers couldn't cover their tracks well.

      --
      All's true that is mistrusted
    4. Re:well... by Anonymous Coward · · Score: 1, Insightful

      If you still have your ebuilds and distfiles handy, then you don't need to do a full-blown emerge -u world. That's a pure waste of time if the md5 checksums from both the .ebuild and .tar.(g|b)z2* files match those of authoritative files. Given the correct ebuilds and tarballs you can assume that your system probably built the correct binaries. If you find a faulty ebuild or tarball, it would make sense to investigate that first before doing an emerge -u world, anyway. If your gcc were compromised, using it to do an emerge -u world would be an exercise in futility if the goal were to clean a system.

    5. Re:well... by unixbob · · Score: 2, Insightful

      So they compromised the server, cleared down some of the logs, but weren't able to completely hide the intrusion, but still managed to compromise the file integrity checker and the source code for emerge?

      This being the same file integrtity checker that alerted the sys admins to the compromise in the first place? If you are good enough to compromise Tripwire or AIDE or whatever then you are good enough to hide the fact that you have done it, not remove some logs install a rootkit then get found out by the IDS.

      Perhaps you should FT

      --
      The Romans didn't find algebra very challenging, because X was always 10
    6. Re:well... by Rich0 · · Score: 3, Insightful

      Uh - have you read the recent linux weekly news which praises the gentoo community for their unusually high level of support?

      I hate to respond to such a silly flame - but this is really unfounded.

      The parent's attitude hardly reflects that of most people running gentoo. A simple browse of the gentoo forums would demonstrate this.

      How exactly is gentoo harming linux anyway? Because some idiot compromises a server? A server whose admins apparently knew what they were doing and had it offline within an hour? Whose admins were thoughtful enough to have significant IDS capabilities installed so they can verify that the whole portage tree is still intact? Last time I checked, the FSF wasn't able to do that in a few hours, and I'd hardly argue that they're doing linux a disservice!

  3. How do they know? by iantri · · Score: 2, Insightful
    "However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected."

    IANAH (hacker), but isn't the first thing you do when you break into a system to 'fix' the logs?

    How can they guarantee the tree hasn't been affected? Compare it with another copy?

    1. Re:How do they know? by mahdi13 · · Score: 2, Insightful

      You can 'fix' logs, but you can't fix all the md5sums that are scattered around the internet

      --
      "Some things have to be believed to be seen." - Ralph Hodgson
    2. Re:How do they know? by agurkan · · Score: 3, Insightful

      An intrusion detection system, e.g. snort, can send the logs offsite, so compromising a machine does not always allow you to wipe the logs. The people who administer these machines probably know what they are talking about, and they have little incentive wrt prop. software guys to lie about their system safety. Debian guys came forward with all details, I believe Gentoo people would not tell lies about security breaches either.

      --
      ato
    3. Re:How do they know? by DA-MAN · · Score: 2, Insightful

      I don't know about this specific setup, but it is standard operating procedure to set up a bastion (read hardened) host that just runs syslog and nothing else for the purpose of logging what goes on in a central location.

      In addition, they can just rsync the portage stored on that box to another to see if any changes were made.

      --
      Can I get an eye poke?
      Dog House Forum
    4. Re:How do they know? by Our+Man+In+Redmond · · Score: 4, Insightful

      I'd just set up a remote box specifically for logging and connect it to a cheapo dot-matrix line printer and have the logs printed to paper. Yeah, you might use a bunch of paper, but it also might come in real handy if you ever need to figure out what really happened to your box.

      --
      Someone you trust is one of us.
  4. Pointy-Hat theory time.. by msimm · · Score: 4, Insightful

    Either hackers have decided they *hate* OSS (not likely) or someone is putting up a purse trying to damage the OSS communities security image.

    --
    Quack, quack.
    1. Re:Pointy-Hat theory time.. by molafson · · Score: 5, Insightful

      Either hackers have decided they *hate* OSS (not likely) or someone is putting up a purse trying to damage the OSS communities security image.

      Or (C) None of the above. To want to crack something you don't need to hate it (or to be paid to hate it). The possibility of finding vulnerabilities is tantalizing enough on its own. To crack something that big would be a major black-hat ego trip, don't you think?

    2. Re:Pointy-Hat theory time.. by CFBMoo1 · · Score: 5, Insightful

      I think part of this can be attributed to the fact that OSS and Linux is gaining popularity. While it isn't probebly the whole reason, there is a certain amount of truth to being in the spot light more and being a bigger target. I'm sure there will be more of these stories in the future. It's only natural to get more attention when you winning a popularity contest. :)

      --
      ~~ Behold the flying cow with a rail gun! ~~
  5. Debian, Gentoo.... who's next? by Goyuix · · Score: 4, Insightful

    Any bets on which major distro will be next? Better yet, instead of point spreads on professional sporting events - Vegas should be taking bets on which distro (or well established free software org) gets rooted next...

    First Debian, now Gentoo... Slackware perhaps? Maybe install a spam-bot on a knoppix image?

  6. Re:All this bad news. by iantri · · Score: 3, Insightful
    Also, what does SCO have to do with the Debian Server compromise? those are two TOTALLY different subjects. You can't group them all in the same "bad news" categories! One has to do with security, the other with the corporate-world.

    Yes, I can. Both give Linux a negative image to people that aren't as clued in about this sort of thing, which is were Linux needs the most support.

  7. Linux vs M$ breakins. by Anonymous Coward · · Score: 5, Insightful

    break in to Debian, it was notices within 24 hours. Break into Gentoo, noticed in 1 hour. Break in to Microsoft, not noticed for MONTHS.

    1. Re:Linux vs M$ breakins. by espo812 · · Score: 2, Insightful
      break in to Debian, it was notices within 24 hours. Break into Gentoo, noticed in 1 hour.
      These are breakins to project servers - a handfull at best.
      Break in to Microsoft, not noticed for MONTHS.
      This was a breakin to a campus and national network of thousands of nodes. It's quite a bit more complicated and thus difficult to monitor everything going on on the Microsoft network than what happens on a few servers.
      --

      espo
  8. Re:windowsupdate.microsoft.com Breakins? by JeffMagnus · · Score: 3, Insightful

    I'd like to see at least one credible report of a breakin at Windows Update. If someone can provide one you will forever earn my eternal respect.

  9. just inevitable by gearheadsmp · · Score: 2, Insightful

    It's just inevitable that a high-profile Gentoo server got broken into. I use Gentoo for my desktop, but if I were in a business environment, I'd stick with Redhat or SuSe. Gentoo has always been an enthusiast's distribution. I personally hold Gentoo and Debian in as high regard as one another, and Gentoo is just my personal preference. Both have excellent package managers. Behaving a as a Zealot, whether for Debian, Gentoo, Slackware, or for a religion just makes you look like a blind fool.

  10. leads... by happyfrogcow · · Score: 2, Insightful

    Leads? I'll just check with the boys back at the crime lab. They got 3 more detectives working on the case. They got us working in shifts!
    -The Big Lebowski

    Seriously though, I would hope that organizations like Debian or Gentoo would have the brain power and tech resources to find a few leads that results in arrests. But why do I doubt that anyone will ever be arrested for any of these types of attacks?

  11. Faking a forensic trail would make little sense... by Kjella · · Score: 2, Insightful

    IANAH (hacker), but isn't the first thing you do when you break into a system to 'fix' the logs?

    Yes, but I think SOP would be to do a little Jedi handwaving "There was no breach". So if they have a good forensic trail, it's either a) real or b) fake. But why create a fake one, if they could have erased it properly? The only reason would be to hope that the box would be apparently fixed, but in reality still rooted. However, as the article said, after the investigation is done it'll be wiped and rebuilt, which is how it should be.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  12. Re:On the bright side... by zangdesign · · Score: 5, Insightful

    What baffles me is why crackers go after targets like this.

    Because some individuals are asshats, that's why. You could create the cure for cancer and some asshole would try to shoot it down just because it's there. After all, we are the same species that nailed some poor bastard to a cross just because he said we should all get along for a change.

    --
    To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
  13. 'Cause of the 'severity' by Nijika · · Score: 4, Insightful
    In OUR community this is a major thing. For everyone else on the planet this crime rates just under Grandma Smith's lawn gnome being stolen and then used in a bizarre series of cross country photos. Even I tend to forget this often, but then I remember.. *sigh*.

    PS, full props for the Lebowski quote!

    --
    Luck favors the prepared, darling.
  14. Re:windowsupdate.microsoft.com Breakins? by Tuba · · Score: 2, Insightful

    You're not likely to hear of it if one happens, as a general policy large companies a don't disclose such information to the public. Even the small-ish place where I work wouldn't.

    --
    We're sysadmins, to us, data is protocol overhead.
  15. gpg sign the bloody emerge files? by tomstdenis · · Score: 4, Insightful

    Why not?

    You take the keys of the developers [or even a cvs key] and then sign all the emerge files. There are only like 2000 new ones a day so at about 50ms a signature [for a really slow box] that's only 100 seconds of time [two minutes not much].

    That way if the end user downloads compromised emerge files they could detect them.

    Damn... I'm like a genius.

    --
    Someday, I'll have a real sig.
  16. Re:How about a logging trail by japhering · · Score: 2, Insightful

    Because it is d*mn hard to prove who was actually sitting at the keyboard when the attack was successful. One hacker has already escaped jail time by simply claiming his machine was hacked by a third party without his knowledge

  17. Re:All this bad news. by mr_z_beeblebrox · · Score: 4, Insightful

    A conspiracy theorist could have a field day..

    Uh....Ok. I'll bite. Top three theories about why all the Linux bad news.
    Number 3: Some companies that got in early on are outgrowing their business models and thus adapting.
    Number 2: Some companies with REALLY flaky software and business models are trying to figure out how to use other peoples superior software to increase their own revenue.
    The number 1 reason....: How much fun can it possibly be to say "I did a google search on Windows Exploits and owned 1000 boxen in just under an hour" as opposed to " I heard about an SSH2 compromise and searched for 2 weeks and found an affected system, gained access. Found another program with an exploit kit, eventually gained root. All in all it took a week."

  18. Re:I KNOW WHAT HAPPENED by Dylan_t_p · · Score: 2, Insightful
    "I KNOW WHAT HAPPENED (Score:-1, Troll) by Anonymous Coward on Wednesday December 03, @03:01PM (#7621231) I know one of the gentoo developers and he has logs of the attack, and the attacker was using a compromised machine in Saudi Arabia for the hack. He actually left a trail in some of the files to say things like "jihad vs. gentoo and america" etc." looks like another islamist plot to overthrow linux

    MAN! if the terrorists are in on this, and since this is obviously a microsoft plot microsoft must be terrorists....... AH second hand information, "i know this guy who knows this guy who works at this company and this is what he said" :) by the way i know this is a troll but it's one of the funnier things I've seen today

  19. When, not if by Midnight+Warrior · · Score: 4, Insightful

    IDS is placed on a system to follow an attack. Audit trails on sensitive machines reveal all commands executed, to the detail you desire.

    Here is the point. Bruce Schneier says that the important part of security is not that you were compromised, but rather that you can react within a time frame to keep the damage to acceptable levels. If you can tolerate having your system compromised for weeks, don't invest in a lot of security. The short response time (2 hours at 11pmEST) here indicates that the Gentoo administrators care about responsiveness enough to check on it frequently.

    When the CVS gateway to Bitkeeper on the Linux Kernel was compromised, the developers of Bitkeeper were able to show that they care enough about security that they invested in many checks and balances that caught the error immediately. Since then, Bitkeeper developers, interested in protecting their good reputation (which is VERY difficult to replace), are considering even more drastic measures.

    As a bonus, some cracker spent a good few days or weeks writing this exploit. We get to keep it and deploy the solution with little hassle. And the compromised system, because good security practices are in place, was mitigated to minimize damage.

    Read Schneier's book Secret and Lies to find out how security is really a process. Yes, I know it's a plug, but I just thought the book hit-home to the real point - "When, not if" you get compromised.

    Several other posts here hint that the world will think less of Linux for this. False. True CIOs should see that Linux has the tools to completely identify and contain attacks. Every CIO knows attacks cannot be stopped, but rather they must be contained to acceptable levels.

  20. Debian vs. Gentoo... by EvilTwinSkippy · · Score: 2, Insightful
    I know I'm going to be modded into the basement, but does anyone else note the extreme difference between when the Debian server was rooted and the Gentoo? Gentoo knew in an hour. They had all of the monitoring tools installed. They even had a list of everyone who had pulled from the machine, and a rough idea of what was done and not done on the server.

    Good luck catching your buglar. I want to know how to patch my box.

    --
    "Learning is not compulsory... neither is survival."
    --Dr.W.Edwards Deming
  21. Look at this in a positive way by perf_monkey · · Score: 4, Insightful

    Let's face it, no OS is 100% secure. Operating Systems that are more secure than others still need to be on their toes. One security exploitation on a Linux box can still be as dangerous as a thousand (an underestimated ratio I'm sure) exploitations on a Windows box. However, I will take the body of security knowledge surrounding an OS to be as valuable as the initial security design principles in the OS in the first place; with that in mind, many Open Source OS's come out looking pretty good. I trust the Linux community to grind down and fix security problems and not sit around and emphasize the numerous security in a Microsoft product. If you're concerned, then help out developers by testing the software and reporting bugs. You could even code a few patches yourself, that being the whole point of community-based development.

    Whether or not there is a deep and dark plot to root big Linux boxes is irrelevant. This is another opportunity to demonstrate the Open Source community's response to security issues to the rest of the computing community. If the heat is really on and this is not just another artifact of news gatekeepers getting over-zealous on a trend, then so be it. It is an opportunity to review and evolve Linux's security as well as the security processes that surround it.

    One of the things I admire most about Linus Torvalds is his steadfast commitment to the quality of his product. It is a commitment that is focused on constant improvement, not PR damage control. I'm sure the real security guru's are sitting with a bit more comfort knowing their servers are running Linux.

    Disclaimer: This post contains no constructive content whatsoever, swallow two tablespoons of salt and call me in the morning.

  22. Re:On the bright side... by Anonymous Coward · · Score: 2, Insightful

    Thats a lame excuse. If these so called "asshats" can crack a distro, so can other malicious folk, and so on. If a distro can be cracked, it very likely will be. You have to assume a malicious adversary when dealing with electronic security.

  23. Hypocrisy alert by Overly+Critical+Guy · · Score: 3, Insightful

    I love it.

    I've pointed out before that Windows is way more widespread than Linux, and so is more attacked and vulnerable, but then zealots come on and say Apache is the most-used on the net and yet not the most breached. But to this, it's already the most-breached operating system.

    Hoot and holler about the reasons all you want, but them's the facts.

    We REALLY, REALLY need to stop with the "Linux is invincible, Windows sucks" attitude. It's flat-out not true, and it's severely holding the community image back in the minds of the rest of the rational computing world who just uses what they use to get the job done and don't treat operating systems like religious belief systems.

    --
    "Sufferin' succotash."
  24. Re:How to fix it? by glwtta · · Score: 3, Insightful
    I don't get it. Why would Gentoo's security need to be improved? I can only remember two Gentoo compromises (though I'm sure there have been more), this one and a long time ago there was an exploit introduced into the build script for a package, this was caught (also within the hour) by the MD5 hash check that emerge does.

    Two compromises, both cought within an hour and with no (absolutely none) adverse effects on the users - there is just not much room for improvement here, this is what good security is.

    --
    sic transit gloria mundi
  25. Here's what real security looks like by Beryllium+Sphere(tm) · · Score: 4, Insightful

    Cars are built out of steel, not glass. Glass is a very strong material. But hit it with a hammer and it shatters. Steel just gets dented.

    Gentoo had "ductile" security. They were able to limit the damage because they had some kind of Tripwire/mtree-like program running on the inside. Given the speed of the response, my guess is that they had a response plan ready to go.

    The lesson is that measures to limit the damage from a break are as vital as measures to prevent breaks in the first place. Fire prevention doesn't substitute for sprinkler systems, and intrusion prevention doesn't substitute for backups. You've got to have both.

  26. Re:Conspiracy, FUD, and Open Source by Darth · · Score: 4, Insightful

    Linux/Unix is fundamentally secure, windows is fundamentally open designed as a disconnected workstation and slowly being secured. This is NOT Microsofts fault for marketting reasons they have to move the code base slowly or there are too many problems.

    I'm going to disagree with the absolute statement that this isnt Microsoft's fault. I agree that the design of Windows not taking into account network security issues at it's inception is not their fault. it wasn't on the radar as an issue facing personal computers when windows was originally written.
    However, building products you are going to market as a server that don't take into account network security is absolutely their fault.
    Building applications that are designed to be used across a network (like IE and Outlook) and not seriously considering the security threat to the system that they create is their fault. Actively adding features to those applications that hamstring any attempt to secure the machine is their fault.
    Claiming your stuff is secure while trying to crush anyone who exposes that it isnt; that's their fault too.

    So there's plenty of security related issues with Microsoft that absolutely are their fault.

    Gandma and gradpa will not compile the kernel. They will use the standard upgrade path of binary packages. They will trust the source computer has not been compromised as Microsoft users trust the Microsoft site is not compromised.

    This is a great reason why security issues with computers used in the upgrade path should be disclosed quickly and the clean up process should be transparent.

    The honesty of OSS groups to disclose information about vulnerabilities is one of it's strengths.

    --
    Darth --
    Nil Mortifi, Sine Lucre
  27. Tripwire / AIDE by Asdex · · Score: 3, Insightful

    From the Gentoo Altert:
    • "However, the compromised system had both an IDS and a file integrity checker installed"

    Gentoo realized that they got hacked after one day.
    GNU Savannah realized that they got hacked after one month.

    It's time to propagate the use of file integrity checkers! They can detect the effects of any new exploit and can't be circumvented (when properly used!).


    AIDE
    Tripwire
  28. More good news then bad by neopara · · Score: 2, Insightful

    Security is so much more then stopping the user at the door. There are always going to be 0-day exploits, which have no patches. The trick with security is mitigating your exposure. Getting root is not a successful hack, keeping it is. So what if someone rooted my box, if I can see it; I can deal with it. These latest big-profile comprises are actually good news because the attacks where not successful. It shows how well Linux can mitigate exposer, and how it layers it security. This is where Microsoft goes wrong with it's lastest methodology towards security. They think putting a firewall in place is all that you need, which is absolutely wrong.

    --
    Nothing more, For me to say; About my life, A life of dreams....