Fwd: ftp.gnu.org cracked

To: debian-security@lists.debian.org
Subject: Fwd: ftp.gnu.org cracked
From: Robert Millan <zeratul2@wanadoo.es>
Date: Mon, 18 Aug 2003 05:24:24 +0000
Message-id: <[🔎] 20030818052424.GA809@aragorn>
In-reply-to: <20030818025155.GF473@aragorn>
References: <20030818025155.GF473@aragorn>

from debian-private:

On Mon, Aug 18, 2003 at 02:51:55AM +0000, Robert Millan wrote:
> 
> Hi there,
> 
> As you might have already heard, a root compromise, which presumably has been
> there for two months, was recently detected in {ftp,alpha}.gnu.org
> (read http://ftp.gnu.org/MISSING-FILES.README for details)
> 
> The following paragraph should draw attention for Debian:
> 
>   "The modus operandi of the cracker shows that (s)he was interested primarily
>   in using gnuftp to collect passwords and as a launching point to attack other
>   machines."
> 
> 1) Some Debian developers do also have GNU accounts, in case any of them
> had the (bad, bad) idea of accessing a Debian machine from ftp.gnu.org
> this could compromise the Debian machine park.
> 
> 2) Any unsigned sources in ftp.gnu.org could have been trojaned during
> the March-July period, and most of GNU packages have their corresponding
> packages in the Debian archive. It is clear there's a risk that the Debian
> archive could have been compromised.
> 
> What do you suggest to do? First, can this dicussion be disclosed? (e.g:
> into debian-security). Then how can we deal with these two problems? Would
> an alert message to -devel-announce suffice?

-- 
Robert Millan

"[..] but the delight and pride of Aule is in the deed of making, and in the
thing made, and neither in possession nor in his own mastery; wherefore he
gives and hoards not, and is free from care, passing ever on to some new work."

 -- J.R.R.T, Ainulindale (Silmarillion)

Reply to:

Prev by Date: Re: Man-db problem
Next by Date: Re: ftp.gnu.org cracked
Previous by thread: subscribe
Next by thread: Re: ftp.gnu.org cracked
Index(es):
- Date
- Thread