Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gentoo rsync Server Compromised [updated]

Posted by timothy on from the debian-parallel dept.

costela writes "LWN points out that the Gentoo project fired out an alert about one compromised rsync server." From the message itself: "However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected." Update: 12/03 22:54 GMT by T : One more damage report: gibson writes "The Free Software Foundation recently discovered that its software host site was compromised a month ago. The compromise appears to be the same as the recent attacks on the Debian servers. The site is shut down until Friday while they install replacement hardware and verify the authenticity of the hosted source code."

9 of 600 comments (clear)

  1. well... by neo8750 · · Score: 5, Insightful

    who didn't see this coming? I use gentoo and i figured it was a matter of time before someone did this. I mean haveing a central tree is cool but it does make it more of a target for attacks. I am however glad to see that they took precautions.

    1. Re:well... by ballyn · · Score: 5, Insightful

      Luckily this "central tree" is actually a distributed mirror, so a simple emerge sync will get your portage tree back in shape if you're one of 20 or so people who happened to sync to this server after it was compromised...

  2. Linux vs M$ breakins. by Anonymous Coward · · Score: 5, Insightful

    break in to Debian, it was notices within 24 hours. Break into Gentoo, noticed in 1 hour. Break in to Microsoft, not noticed for MONTHS.

  3. Re:The only reason this is news... by kayen_telva · · Score: 5, Insightful

    no, its news because a very popular linux dist has been hacked which could effect a lot of people. that = news

    damn microsoft bashing wannabee

  4. Re:Pointy-Hat theory time.. by molafson · · Score: 5, Insightful

    Either hackers have decided they *hate* OSS (not likely) or someone is putting up a purse trying to damage the OSS communities security image.

    Or (C) None of the above. To want to crack something you don't need to hate it (or to be paid to hate it). The possibility of finding vulnerabilities is tantalizing enough on its own. To crack something that big would be a major black-hat ego trip, don't you think?

  5. Re:On the bright side... by zangdesign · · Score: 5, Insightful

    What baffles me is why crackers go after targets like this.

    Because some individuals are asshats, that's why. You could create the cure for cancer and some asshole would try to shoot it down just because it's there. After all, we are the same species that nailed some poor bastard to a cross just because he said we should all get along for a change.

    --
    To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
  6. Re:Pointy-Hat theory time.. by CFBMoo1 · · Score: 5, Insightful

    I think part of this can be attributed to the fact that OSS and Linux is gaining popularity. While it isn't probebly the whole reason, there is a certain amount of truth to being in the spot light more and being a bigger target. I'm sure there will be more of these stories in the future. It's only natural to get more attention when you winning a popularity contest. :)

    --
    ~~ Behold the flying cow with a rail gun! ~~
  7. Re:The only reason this is news... by htmlboy · · Score: 5, Insightful
    Get your facts right:
    "Linux is successfully compromised more than any other operating system". Mostly due to people setting it up straight out of the red box without adequately Reading The Fine Manual.

    facts are tricky like that:
    "We don't know how many total servers the numbers were gathered from or what percentage of those servers is Linux vs. Windows, etc. It is safe to say that these results are true for the servers they monitor, but the percentages may not be true for all servers across the globe."

    while there certainly exist a large number of linux machines that have been compromised, i can't imagine the number of infected linux machines is anywhere near that of the win32 systems infected by blaster/welchia/code red/nimda/sql slammer/klez/dumaru/sobig/etc. in the same time frame. i suppose the counting in this case depends quite a bit on the counter's definition of "compromised."
  8. Re:The only reason this is news... by Blkdeath · · Score: 5, Insightful
    As well, this isn't "just another exploit for Explorer/Windows/Linux/whatever," this is someone gaining access to THE source code server. I don't seem to recall too many stories where MS had their main code repository compromised, do you?

    Since Gentoo doesn't have a "THE" source code repository, I'm afraid you've got some facts to get straight, Herr Coward.

    The mirror had read-only rsync access to Gentoo's primary (US) mirror. Even if the tree were compromised, the changes could not propagate into the main tree. For that, one would require CVS access to the CVS repository, against which the primary rsync server is synchronized.

    This was only posted as a matter of keeping our user community, and the OSS community as a whole informed.

    Also, I believe the announcement gave mention of it, but the Portage tree on the primary mirror was re-created from the CVS repository immediately upon being notified that a mirror was compromised. Within 30 minutes, every Gentoo rsync mirror had a fresh copy of the tree automatically (as stated by Gentoo rsync mirror policy, mirrors are updated every 30 minutes in order to remain on the official rotation).

    Sorry for the confusion, all, but there's really nothing to see here. But it was good clamouring practise for when/if a real Gentoo server is compromised. ;)

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.