Re: more details on the recent compromise of debian.org machines
[moving discussion from -devel-announce to -devel, hoping to get
threading right, not Ccing elmo as "Mail-Copies-To: never"]
First let me thank James, Adam, Brian, Wichert, Dann, Matt, Michael,
Robert, Jaakko, Colin and Josip for the work they have done on the
compromised machines.
James Troup wrote:
>On Wednesday 19th November (2003), at approximately 5pm GMT, a sniffed
>password was used to access an (unprivileged) account on
>klecker.debian.org. Somehow they got root on klecker and installed
>suckit. The same account was then used to log into master and gain
>root (and install suckit) there too. They then tried to get to murphy
>with the same account. This failed because murphy is a restricted box
>that only a small subset of developers can log into. They then used
>their root access on master to access to an administrative account
>used for backup purposes and used that to gain access to Murphy. They
>got root on murphy and installed Suckit there too. The next day they
>used a password sniffed on master to login into gluck, got root there
>and installed suckit.
I would like to know whether the attacker was able to log in to auric,
even as unprivilieged user. Did she actively try to compromise auric?
What kind of verification of auric's integrity was done / is planned
to be done?
Was the archive, stored on auric, verified for integrity as a paranoid
security precaution? What reference data was used to complete that
verification?
>After a thorough cleanup and reinstall of modified files the non-US and
>security archives were verified by looking at mirror logs for changes and
>comparing MD5 checksums of the files on Klecker and those on three
>different trusted mirrors.
Thank you very much for that clarification.
>Although it's possible an attacker with local
>access to gluck got root through (1), it seems unlikely they'd sit on
>that for <n> months and then use it on several machines only to
>comeback and rootkit several debian.org machines and at least one
>(that we know of) other unrelated system at the same time (and which
>didn't have an extended ptrace vulnerability exposure.)
While I agree with you, there could be the possibility that the night
of the compromise being the night of 3.0r2's release was not a
coincidence. Maybe the attacker waited for a release to happen, to
compromise the archive in that night before "clean" binaries have been
pushed out. We originally planned to release sarge these days, but the
attackers might have decided to go for 3.0r2 instead after learning
that sarge won't be any time soon.
>Based on that and the forensics on the unrelated system mentioned
>above, I believe that there was an as of yet unknown local root
>exploit used to go from having local unprivileged access to having
>root.
Bad news :-(
Be afraid. Be very afraid. :-(
>P.S. As always, I speak only for myself.
You did a very very good job in doing so. I really appreciate that.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Karlsruhe, Germany | lose things." Winona Ryder | Fon: *49 721 966 32 15
Nordisch by Nature | How to make an American Quilt | Fax: *49 721 966 31 29
Reply to: