Slashdot Mirror
Debian Server Compromised
Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."
Oh no, now they have access to all the Debian source!
Oh no! They're gonna leak the source code! Debian is screwed now...
...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.
Sig: I stole this sig.
...everyone has moved to GNU/Ubuntu.
http://www.openbsd.org/
it's unglücklich?
It's Debian... they found an old DAT tape from three years ago, restored it, and realised that nothing's changed in the source tree. *ducks*
body massage!
Aw man, that's too bad. I think we should all wish the Debian team g'luck.
Hasn't this happened a few times already? Or am I thinking of a different distro?
Perhaps now they will spend less time griping about Ubuntu and more time working on their security.
I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?
...but with your high UID, I'm going to assume you don't know this already. The attitude that you posses is what used to plague the old open source world to the point that no utility or tool would be used in the enterprise. After a while, the open source maturity matured and everyone came to the realization that these things need to be taken care of, and that even though the open source software is free, you need to treat the users of that software as if they are paying customers. There is reward. Donations and other things can up your credibility to the point of a serious career. Soon enough, a history in the world of open source will guarantee one a job in the enterprise, because university diplomas don't seem to be working when it comes to judging ones capabilities. Change your perspective.
Sig: I stole this sig.
The "unstable" distribution is where active development of Debian occurs. Generally, this distribution is run by developers and those who like to live on the edge.
:)
That's what you get for running UNSTABLE
...they aren't as grim as you may think. Soon enough, universities will be obsolete, and corporations will judge one based on open source contributions. If we all move aggressively toward this stance, the MCSEs will hit the road, and open source pioneers will rule the world of research, development, and jobs all funded by large corporations. All the source will be open, and the developers will work for companies like Verizon and the government as researchers. The same way that students pay universities to do the same thing for them, the difference is that the companies will pay you and you won't be paying a university. A large company that does not employ open source developers will be seen as bad in morale the same way a company is seen as bad for outsourcing manufacturing jobs to Mexico. If we take open source and ourselves seriously, all of this can happen. The old attitude of "don't use it if you don't like it" is going away, and things will be set straight if we push things forward.
Sig: I stole this sig.
and move that source repository to a more secure Windows 2003 Server platform.
I felt a great disturbance in the Force, as if millions of nerds suddenly cried out in terror and were suddenly silenced.
That's one reason why I like Ubuntu's Update Manager: it shows the changelog for each package it's offering to upgrade. And one reason why the recent lack of changelogs is troubling.
Of course an attacker could fake changelogs, though it's an extra step. It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades. Debian's apt (and its descendants, like Ubuntu) seem perfectly suited for automating such authentication without adding any user complexity.
--
make install -not war
Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.
Why is it "cooler" to compromise a server than it is to find and report a vulnerability?
And, if one is so set on doing some damage - why go after a free service??
Please someone moderate up this funny +1. Bonus points if you use a computer with NT Technology.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Dear Hackers,
If you manage to hack into the main repository, please fix this bug. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.
If you hack, do it for the right reasons.
...Anybody who didn't understand the real meaning of "compromise" needs to re-read the article, substituting "compromised" with "rooted." The attackers didn't kill the server or knock out a service. They rooted the box, and the Debian devs are trying to cover themselves somewhat by ambiguating the exact nature of the attack.
~ C.
Namaste
Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
Security support for Debian 3.0 to be terminated. Coincidence? *duck*
Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!
They said:
/etc/ssh/sshd_config and restart SSHD, though I don't know if it's worth it.)
"...we've locked down
most other debian.org machines, limiting access to DSA only, until
they can be fixed for what we suspect is the exploit used to
compromise gluck."
Are they saying they think the exploit is in the RSA functionality of SSH? If so, it might be prudent to turn it off for now, but this could be a knee-jerk reaction. (To turn it off, change RSAAuthentication to "no" in
DSA = Debian Systems Administration (team)
/* FUCK - The F-word is here so that you can grep for it */
it is called 'open source'... bass drum - cymbal drum - *duck*
That which does not kill you, makes you stronger
--Friedrich Nietzsche
whoopee it's a conspiracy, a coverup, an alien plot, a tampered tinfoil and ufia, ok everybody let's panic
Somebody just Vorbis-encoded all my backup tapes!
http://outcampaign.org/
Way to stick it to The Man!
Oh wait...
http://outcampaign.org/
Marco? Is that you?
--Zizou
Gluck is not a "core" machine, not even a special development system. It has been abandoned as CVS server by most subprojects since they moved to the Alioth service. The most important task was the homepage server.
Oh boy... Low UIDs hardly instill authority!
;-)
Take it from someone with a waaaaaaayyyyy lower UID as yours!
But to your original point - I'm not too sure you can rule out future break-ins at all. It would only be REALLY stupid, if both breakins happened through the same setup fault.
But I don't think debian has a full time security admin who constantly and ACTIVELY monitors every debian.org box, like other big name companies might be able to afford to.
Secondly, the sheer multitude of packages, and frequent updates/upgrades of packages will make it fairly impossible to keep a machine 100% break-in proof.
Of course, I don't like break-ins - especially on servers of a distribution I'm actively using; but I think it's wrong to panic about it either.
More importantly - while I see the need to reinstall quickly, has anyone there found out HOW the break-in occured? Has the hole been located? (...and is it known how to fix this particular one, before the same guy just uses the same "back door" again?)
I have a physical airgap between my wireless router and laptop. Does that mean I'm safe?
I have many friends relying on Debian servers, now they're a little bit worried about security. I think Debian is more about stability, that doesn't always mean secure.
Pixel image editor - http://www.kanzelsberger.com
...did the server run Windows?
Nuffsaid
________
Don't know about his cat, but Schroedinger is definitely dead.
Maybe we need WikiDebian? "The free operating system that anyone can edit."
I'm not joking. If it works for Wikipedia, why not Debian??
My Windows 2003 server gets break-in every fortnight. You guys worry too much!!
hilarious
http://www.debian.org/News/2003/20031121
The vulnerability they were hit by was a previously unknown vulnerability in the kernel.
The dicussion about linux vs windows security is quite old now... /.) linux gets more known among "normal" computer users; nearly as well known (or even more) then MacOS. So we, the linux community, get into the situation, that more peole are trying to hack linux PCs. Therefor more exploits are showing up. (More people are looking after them with the aim to use them). I remember the euphoric comments on the "linux beats MacOS" thread, a time ago. (find it by yourself, I don't have the time in the moment) What we are expierience here, is the othe side of this phenomenon, and so, when we want to get linux more used by "normal" users, we have to pay the price, that hackers are more frequently try to break in our systems.
See it this way:
Windows appears to be so much more insecure because so many peolple are using it, and so it becomes an interresting target for small, little hobby hackers. But now suddenly (as read on
So what...
How shall I know what I think before I read what I wrote?
Ah, but the Debian operating system includes the applications and services, not just the base system. :)
the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.
Heh, you're funny.
If IE allows access to the wrong places by incorrect handling of and such geeks scream "Windows" got hacked *again*. Not IE.
If Outlook allows systementry, not "Outlook" has been hacked, but "Windows".
If crashing a certain program allows execution of malicious code, not the program got crashed, but "windows" got hacked.
If IIS gets penetrated, you hacked "windows", not "IIS".
But when it's on a *nix system all of the sudden; "oh.. but..; bit it has nothing to do with the OS. It's just that part of the distro! We are INVINCIBLE! And absolutely so perfect and secure that it can't be us, it must be some other cause! Yes, it's something else!".
It's important to be self-critical at the right times.
Have anyone of you heard of who does theese kinds of breakins? Establishing where they come from is a big step towards preventing them.
HTTP/1.1 400
They're signed too. So what's the point?
if you want to get more down and dirty than both slack and gentoo, use rocklinux.org`s :)
build boot strap system, svn checkout the source and compile the bugger
...by modding the parent "redundant."
Linux boxes getting owned is very redundant.
Thought I would throw in my two cents as a user of gentoo since 1.4 (I think this might be 4 or 5 years).
Firstly, if you use gentoo for any period of time, you should be compiling your own kernel. The knowledge of how to do this quickly and easily is something most linux users dont need to ever aquire (I didnt in the 2 or 3 years I ran Redhat, Mandrake, Caldera and Slackware).
In reply to what you were saying about unexpected conflicts due to USE flags, I have to say that things seems to have improved greatly. Or more likely is that with 4 years experience I now understand how they work properly. I know that when I encountered similar issues, at least some of them were cause by human error (mine).
But in comparison to how many time I used to trash my Redhat installation by knackering the rpm database with dependancies compilied from source (hance not in the rpm database) or when it simply died (database became unreadable and corrupt) there is no competition, Gentoo wins hands down.
But the real advantage of Gentoo is keeping your whole system right on the bleeding edge but still working. The packages that make it into the portage repository and get marked as stable are usually far more up to date than any other distribution. And Gentoo makes it very easy to update an existing system to that bleeding edge, even via the command line (emerge -u world).
Now I am sure all of this is possible with other distributions, but it isnt as straightforward, or as well documented (Gentoo seems to have the best docs of any distribution I have ever seen).
The only critisism I have of gentoo at the moment is the stupid graphical installer they have just started using for new systems. But I am sure this will improve in future, the current release is the first one to use it.
I dont read
So there's no chance that malicious code were inserted ;), plus, there's no chance to use the exploit anymore cause the lock everything ;)
ghostbar page.
apt-get archives are now signed too. In Etch (testing) and Sid (unstable) apt will check the integrity of the packages for you, but the entire archive is signed. Just look at woody or sarge,
http://http.us.debian.org/debian/dists/woody/
http://http.us.debian.org/debian/dists/sarge/
Then locate the file Release.gpg. That is the signature for the release file.
The difference is, most of the Windows programs you just mentioned have some kernel level components... or are considered part of the OS by the vendor.
And under penalty of perjury... they have claimed so in a court of law.
They CAN NOT BE REMOVED according to the vendor.
Not so with the linux code...
So... the "working definition" of Operating System being used is: If it can not be removed, it is the OS.
HTH
--Phillip
Can you say BIRTH TAX
http://bugs.debian.org/apt
haven't you ?
Thank goodness *I* use Ubuntu! *whew*
I saw it on Slashdot, it must be true!
...Having a good checkout from a couple of days ago:o
mv cvs_repo old_cvs_repo
export CVSROOT=:ext:user@cvs.debian.org:/cvsroot/cvs_rep
cvs co cvs_repo #and take care to checkout the same revisions... not too hard
diff -ru cvs_repo old_cvs_repo|grep -v CVS
I've tried Gentoo a bit myself, and I am a long time slackware user (the first distro I tried, and I keep
coming back to it). But, for getting down and dirty, I recommend Linux From Scratch and
Beyond Linux From Scratch.
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
Debian can't be taken seriously for security. That doesn't mean you should pretend its ok just because windows is worse. There are operating systems out there that give a flying fuck about security. Try openbsd or a reasonable linux distro like openwall.
Why aren't these techniques in use on a Linux distribution's Internet servers? Granted, they're not a magic bullet, but you can do a pretty damn good job of stopping attackers right in their tracks.
... is just delaying the inevitable
and may well make you wish you were dead!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Man, no Debian packages where compromised, so no Debian users where compromised, so the only guys affected where those maintainingn and using gluck. Troll.
Mind Booster Noori
For anyone still following this story all these hours later, there's a new post on debian-news with a bit more detail about what happened here.
The short version is, it was a privilege-escalation exploit triggered from a compromised user account, the server in question is now restored, but several others are locked down pending inspection. Also, it says the regular and security archives were not in danger. The exploit was a known issue in the 2.6.16.18 kernel running on gluck at the time of the exploit.
Interestingly, the window between the compromise and the lockdown was less than two hours.
2*3*3*3*3*11*251
At any point in time, was the server gluck serving CVS, or web services to debian users where its sources could have been compromised?
From the point of view of Russian language, that was natural event, nothing unexpected.
Some sailors say - how you name a ship, she will float that way.
While in German language "gluck" means "happiness", in Russian it means "glitch".
I have had someone break into my Debian system once. I got cocky and left a few ports open on my router. I left the ftp and ssh ports open and my slackware partition mounting automatically. Later, I realized my user account in slackware was showing up as user "ftp" in Debian. That will never happen again. I noticed in the log files that someone was trying to break in and was keeping an eye on my gkrellm. Finally they figured it out, and instantly high internet traffic was going both ways. I had to turn the router off to give myself time to think. Those ports have been closed ever since. Accessing my computer from work is not that important. I haven't been hacked since. I keep an eye on all ports I use including Bittorrent.
Of course, my computer is not a server, so I'm not too worried. I try to keep sensitive information off of any computer. That is what the safe is for.
Ops, I shuld have usd the prevuwe but in.