Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gentoo rsync Server Compromised [updated]

Posted by timothy on from the debian-parallel dept.

costela writes "LWN points out that the Gentoo project fired out an alert about one compromised rsync server." From the message itself: "However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected." Update: 12/03 22:54 GMT by T : One more damage report: gibson writes "The Free Software Foundation recently discovered that its software host site was compromised a month ago. The compromise appears to be the same as the recent attacks on the Debian servers. The site is shut down until Friday while they install replacement hardware and verify the authenticity of the hosted source code."

21 of 600 comments (clear)

  1. well... by neo8750 · · Score: 5, Insightful

    who didn't see this coming? I use gentoo and i figured it was a matter of time before someone did this. I mean haveing a central tree is cool but it does make it more of a target for attacks. I am however glad to see that they took precautions.

    1. Re:well... by ballyn · · Score: 5, Insightful

      Luckily this "central tree" is actually a distributed mirror, so a simple emerge sync will get your portage tree back in shape if you're one of 20 or so people who happened to sync to this server after it was compromised...

    2. Re:well... by Anonymous Coward · · Score: 5, Interesting

      And what if syncing to the server installed a compromised "emerge" program?

  2. Time to Switch to Debian by Anonymous Coward · · Score: 5, Funny

    They haven't had a break in two weeks!

  3. Linux vs M$ breakins. by Anonymous Coward · · Score: 5, Insightful

    break in to Debian, it was notices within 24 hours. Break into Gentoo, noticed in 1 hour. Break in to Microsoft, not noticed for MONTHS.

    1. Re:Linux vs M$ breakins. by Anonymous+Chicken · · Score: 5, Funny

      Break in to SCO... priceless...

      --
      This signature is intentionally left blank.
  4. Firstly, get used to it by Nijika · · Score: 5, Interesting
    These things just happen. What I'm more impressed with is the detailed reports of the breakins. I mean you're going to have compramises, if you're on the Internet, try as you might to stop them dilligently. The important thing now is making sure you know when somebody's on the inside when they shouldn't be. And even more props if you make the knowledge public so that it gets harder and harder to break in.

    To those who aren't intentionally trying to troll.. and computer journalists;

    Yes, Linux servers can be compramised.

    No, the sky is not falling.

    No, it's not the end of Linux or open source.

    --
    Luck favors the prepared, darling.
  5. Exactly. by twoslice · · Score: 5, Funny
    I am however glad to see that they took precautions.

    Now consider what would happen if the Windows update service was compromized and hackers managed to get past Microsoft's tight security. These update servers could be used for WMD's (Windows Massive Disruptions)...

    --

    From excellent karma to terible karma with a single +5 funny post...
  6. Re:The only reason this is news... by kayen_telva · · Score: 5, Insightful

    no, its news because a very popular linux dist has been hacked which could effect a lot of people. that = news

    damn microsoft bashing wannabee

  7. Re:Pointy-Hat theory time.. by molafson · · Score: 5, Insightful

    Either hackers have decided they *hate* OSS (not likely) or someone is putting up a purse trying to damage the OSS communities security image.

    Or (C) None of the above. To want to crack something you don't need to hate it (or to be paid to hate it). The possibility of finding vulnerabilities is tantalizing enough on its own. To crack something that big would be a major black-hat ego trip, don't you think?

  8. Re:On the bright side... by zangdesign · · Score: 5, Insightful

    What baffles me is why crackers go after targets like this.

    Because some individuals are asshats, that's why. You could create the cure for cancer and some asshole would try to shoot it down just because it's there. After all, we are the same species that nailed some poor bastard to a cross just because he said we should all get along for a change.

    --
    To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
  9. Re:All this bad news. by penguin+king · · Score: 5, Funny

    Yeah... it was probably SCO: "ooops.... I think I hacked someone" "shit.. what now?" "new lawsuit.. they're runing our rootkit!"

  10. Re:Pointy-Hat theory time.. by CFBMoo1 · · Score: 5, Insightful

    I think part of this can be attributed to the fact that OSS and Linux is gaining popularity. While it isn't probebly the whole reason, there is a certain amount of truth to being in the spot light more and being a bigger target. I'm sure there will be more of these stories in the future. It's only natural to get more attention when you winning a popularity contest. :)

    --
    ~~ Behold the flying cow with a rail gun! ~~
  11. Re:All this bad news. by cgenman · · Score: 5, Funny

    Is it sad the first thing that crossed my mind was "lots of well-timed security breaches... Microsoft may be behind them all"?

    Come on. Do you really think Microsoft knows that much about security?

    --
    The ______ Agenda
  12. Not as big as previous posters make it sound. by jmanning · · Score: 5, Informative

    To correct a few misconceptions in the previous comments.

    It was not their server that was compromised, just a third party server in a round robin rotation. They don't own it, they don't maintain it - just someone else who donated server space.

    The primary or master server is not accessible to users, it was not compromised, and so none of the original source files had a chance to be changed.

    Only the 20 users that synchronized to this server even have a tiny chance of getting bad files. Having everyone sync now that this server is out of the rotation will immediately fix the problem.

    Full disclosure 24 hours later. I give them a lot of credit for such a quick response and disclosure. This is very, very minor.

    ~J

  13. Re:The only reason this is news... by mahdi13 · · Score: 5, Informative

    Only 20 people sync'd with this server within that hour it was compromised...not a big deal, expecially when the compromise did not touch the portage tree and was mearly a rootkit install and some logs edited...not to mention it is a donated server used for other purposes, the attacker might not of even known it was used for Gentoo rsync...
    But the server is down and will be scrubbed and re-sync'd, just to be safe

    --
    "Some things have to be believed to be seen." - Ralph Hodgson
  14. Re:The only reason this is news... by htmlboy · · Score: 5, Insightful
    Get your facts right:
    "Linux is successfully compromised more than any other operating system". Mostly due to people setting it up straight out of the red box without adequately Reading The Fine Manual.

    facts are tricky like that:
    "We don't know how many total servers the numbers were gathered from or what percentage of those servers is Linux vs. Windows, etc. It is safe to say that these results are true for the servers they monitor, but the percentages may not be true for all servers across the globe."

    while there certainly exist a large number of linux machines that have been compromised, i can't imagine the number of infected linux machines is anywhere near that of the win32 systems infected by blaster/welchia/code red/nimda/sql slammer/klez/dumaru/sobig/etc. in the same time frame. i suppose the counting in this case depends quite a bit on the counter's definition of "compromised."
  15. Conspiracy, FUD, and Open Source by Jumper99 · · Score: 5, Interesting

    So I've been lurking around here long enough to spot certain trends. (Warning: generalizations ahead)
    OSS advocates love to hate Windows
    OSS advocates gloat when a new hole turns up in Windows
    OSS advocates point to the number of worms, virus, etc in Windows and say, "Never us"

    Then several OSS distros have a security breach in a short space of time.

    OSS advocates respond with "Must be a conspiracy against us by some evil entity", "Hey, look how quick we caught it", "It would have been much worse with Windows".

    Time to face facts gents. Windows is attacked FAR more than OSS. Why? Well, yes, it is full of holes. But downtown Philly is riddled with abandoned houses with no locks on the doors but they never get broken into. Why? No value in doing so. Not enough damage, headlines, misplaced glory, etc. But the main reason is that it is the dominant OS out there. I fear that we will see more and more attacks against OSS with it's growing popularity. If we all get our wish and 'nix takes over Windows dominant market position and is running on 90% of desktops, you will most likely find it a target for constant attacks like Windows has now.

    We all know in order for 'nix to make it to the desktop, it has to become WAY more user friendly. Can't have Grandma trying to recompile the kernel now can we? User friendly unfortunately translates into users being able to do things that comprise security. Like opening attachments, downloading Trojans, etc. Then the great security built into the OS goes right out the window. no pun intended).

    So before you all start crying about conspiracies, et al, just remember that we all may be victims of our own push to make the 'nix stuff more popular. By bragging about how secure it is, we just may be attracting the type of attack that is more sophisticated then the script kiddies attacking Windows. I imagine it's cool to brag to your friends that you broke into a Windows box. I imagine it's much cooler to brag that your rooted a Linux distro. Badge of honor and all that.

    --
    The opinions expressed here are not mine, but those of these dang voices in my head.
  16. Gentoo! by PatrickThomson · · Score: 5, Funny

    rooted 1% faster than a binary install!

    With apologies to Torne, from whom I stole this quote.

    --
    I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
  17. The real question is... by beattie · · Score: 5, Funny

    ... did whoever did this steal any of our source code?

  18. Re:The only reason this is news... by Blkdeath · · Score: 5, Insightful
    As well, this isn't "just another exploit for Explorer/Windows/Linux/whatever," this is someone gaining access to THE source code server. I don't seem to recall too many stories where MS had their main code repository compromised, do you?

    Since Gentoo doesn't have a "THE" source code repository, I'm afraid you've got some facts to get straight, Herr Coward.

    The mirror had read-only rsync access to Gentoo's primary (US) mirror. Even if the tree were compromised, the changes could not propagate into the main tree. For that, one would require CVS access to the CVS repository, against which the primary rsync server is synchronized.

    This was only posted as a matter of keeping our user community, and the OSS community as a whole informed.

    Also, I believe the announcement gave mention of it, but the Portage tree on the primary mirror was re-created from the CVS repository immediately upon being notified that a mirror was compromised. Within 30 minutes, every Gentoo rsync mirror had a fresh copy of the tree automatically (as stated by Gentoo rsync mirror policy, mirrors are updated every 30 minutes in order to remain on the official rotation).

    Sorry for the confusion, all, but there's really nothing to see here. But it was good clamouring practise for when/if a real Gentoo server is compromised. ;)

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.