[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: ftp.gnu.org cracked

from debian-private:

On Mon, Aug 18, 2003 at 02:51:55AM +0000, Robert Millan wrote:
> Hi there,
> As you might have already heard, a root compromise, which presumably has been
> there for two months, was recently detected in {ftp,alpha}.gnu.org
> (read http://ftp.gnu.org/MISSING-FILES.README for details)
> The following paragraph should draw attention for Debian:
>   "The modus operandi of the cracker shows that (s)he was interested primarily
>   in using gnuftp to collect passwords and as a launching point to attack other
>   machines."
> 1) Some Debian developers do also have GNU accounts, in case any of them
> had the (bad, bad) idea of accessing a Debian machine from ftp.gnu.org
> this could compromise the Debian machine park.
> 2) Any unsigned sources in ftp.gnu.org could have been trojaned during
> the March-July period, and most of GNU packages have their corresponding
> packages in the Debian archive. It is clear there's a risk that the Debian
> archive could have been compromised.
> What do you suggest to do? First, can this dicussion be disclosed? (e.g:
> into debian-security). Then how can we deal with these two problems? Would
> an alert message to -devel-announce suffice?

Robert Millan

"[..] but the delight and pride of Aule is in the deed of making, and in the
thing made, and neither in possession nor in his own mastery; wherefore he
gives and hoards not, and is free from care, passing ever on to some new work."

 -- J.R.R.T, Ainulindale (Silmarillion)

Reply to: