Slashdot Mirror
Gnome.org Compromised?
Garden GNOME writes "The GNOME sysadmin team has just announced that the main GNOME web server has probably been intruded into, leading to the shutdown of the GNOME website, (including bugzilla.gnome.org, art.gnome.org and developer.gnome.org). The GNOME mailing lists, and CVS servers seem to be up, though the FTP server was immediately taken down as a precautionary measure (released sources are believed to be intact). This is bad, because GNOME 2.6 was supposed to be released tomorrow. Let's hope it is a false alarm."
We've discovered evidence of an intrusion on the server
hosting www.gnome.org and other gnome.org websites.
At the present time, we think that the released gnome
sources and the gnome source code repository are unaffected.
We are investigating further and will provide updates
as we know more. We hope to have the essential services
hosted on the affected machine up and running again as soon
as possible.
The GNOME sysadmin team
23 March 2003
must.. resist.. temptation to moderate...
I wonder if they are running a Debian based or Debian itself, and Debian has another hole in it.
Funny. Too bad that was just a regular kernel hole, not one special to Debian's kernel. Any other distros can simply count themselves lucky the attackers didn't choose them.
Don't bring up the backup until you figure out how they got in.
Gnome's servers were all running RedHat, between versions 7 and 9 last time I checked... they should switch those to a better maintained distro already as RH7-9 is deprecated...
Not to pick nits, but that error didn't come from ASP.Net, it is from classic ASP and is actually an ADO (data access) error.
Heaven forbid that someone make a disparaging comment about Linux and make a joke about its stability/reliability/security with regards to windows where Linux looses.
Help Brendan pay off his student loans
The Gnome team didn't mix all the web sites (where user custom shell scripts are always a risk) with the cvs box.
It would be nice if a couple of distributions put out basic *up-to-date* HOWTOs of best practices on how to set up minimal, secure servers using their distribution.
:)
If you ask me, anyone running a service important enough for security to be more than a casual concern should be using a distro which is secure out of the box. Minimalist distros (Gentoo comes to mind) seem a good solution here.
When it comes to deploying a service, it should be you who makes the box insecure by adding the service, and then you open up a whole big can of worms with this argument. If the distro is secure and adding a service makes it insecure, unless the addition is distro-specific, it falls on the service maintainer to write good guides.
That doesn't mean it shouldn't happen, I like all the guides I can get -- but I think looking primarily to the distros is perhaps a bit mis-aimed. A little idle interest in security and 20-30 minutes of research when putting up a new service is all it really takes to cover most of your ass(ets), at least that's my perception.
Disclaimer: I am obviously not a security expert, I only have a standing interest in keeping the two services (apache & ssh) running on my home network secure.
Cheers
~Dalcius
Rome wasn't burnt in a day.
More info will appear as the forensics are done.
But to emphasize: cvs.gnome.org is a seperate system
you have to take the space out of the link. slashcode adds it for some reason. without the space, it works fine.
> Don't bring up the backup until you figure out how they got in.
And when.
The script used to upload files to the master FTP site also mailed MD5 sums to a mailing list hosted on another machine. That script doesn't appear to have been altered (to insert a backdoor, the script would need to repack the tarballs with an exploit on the fly), so the MD5 sums from that mailing list should be reliable.
As far as I know, that only applies to security breaches that lead to a leak of personal information. Even then, if disclosure would impede any form of investigation, people did not have to say anything at all.
So technically, even if it DID happen, people can dance around it all they want.
... they didn't know. The last time Microsoft's network was *KNOWN* to be compromised, the crackers had been running around for 3 or 4 months before anyone at Microsoft noticed.
OpenSSL were DoS issues, so its doubtful.
http://www.openssl.org/news/secadv_20040317.txt
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
2. The OpenSSL holes recently were a null pointer dereferrence and a DoS - neither would lead to a compromise.
Remeber the openssl worm? Anything less than 0.9.6e is vulnerable. And they're using 0.9.5a????
Their versions of php and apache are both incredibly old (1.3.27 or 1.3.28 is current for apache, and PHP just released 5 RC1 with 4.3.x being current) - I hope they set up apache to lie about its versions.
My server
Its also on a seperate switched port 8)
I was just reading Unix Unleashed and they claimed that when a vulneranbility in some sort of TCP/IP stack code that everyone used was discovered a while ago, the Linux community took less than 3 hrs. to release a working patch.
I realize this is potentially annoying and I intend no offense.
From Netcraft:
e .org
http://uptime.netcraft.com/up/graph?site=www.gnom
Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.1.2 mod_perl/1.26 on Linux
Also the net block is not owned by Red Hat. Unlike redhat.com which sits on a difference cluster owned by Red Hat itself.
I do know. I think I may even have been the first person to post a good explanation of how to sniff switched networks to bugtraq in fact 8)
There was arp monitoring stuff running too
You can read about some of the times it got hacked here. Hacked by Chinese anyone? The link lists over a dozen more.
As seen on gnome-announce