Forgot your password?
typodupeerror
GNU is Not Unix Security

FSF FTP Site Cracked, Looking for MD5 Sums 752

Posted by CmdrTaco
from the two-scoops-of-paranoia dept.
landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.
This discussion has been archived. No new comments can be posted.

FSF FTP Site Cracked, Looking for MD5 Sums

Comments Filter:
  • by Barbarian (9467) on Wednesday August 13, 2003 @12:31PM (#6686917)
    Did you know that some files are just about impossible to get anywhere else?

  • Lot'sa files (Score:1, Informative)

    by guido1 (108876) on Wednesday August 13, 2003 @12:31PM (#6686932)
    They need lots of help... There are 689 files on the list...

    Eek!
  • by lactose99 (71132) on Wednesday August 13, 2003 @12:35PM (#6686986)
    Taking a brief glance over my FreeBSD server, all of the entries in the Ports tree have the MD5SUMs in the "files" file. The Ports tree includes many many FSF software package installs.
  • by lactose99 (71132) on Wednesday August 13, 2003 @12:38PM (#6687010)
    Oops... its the "distinfo" file that contains the MD5SUMs, not "files".
  • Late news (Score:2, Informative)

    by coleSLAW (23358) on Wednesday August 13, 2003 @12:38PM (#6687016) Homepage
    Move along folks, nothing to see here. alpha.gnu.org was cracked many months ago.
  • by rkz (667993) on Wednesday August 13, 2003 @12:38PM (#6687019) Homepage Journal
    Crackers exploited this [debian.org] vunerability, there was even a patch available!!
  • by saskwach (589702) on Wednesday August 13, 2003 @12:41PM (#6687049) Homepage Journal
    I think you want OpenBSD [openbsd.org]...7 years running, 1 remote hole in the default install. (I think it was patched within 3 days, but am too lazy to look it up.)

    Not 100%, but 99.9%, sure.

  • by E-Rock (84950) on Wednesday August 13, 2003 @12:42PM (#6687068) Homepage
    Well no OS is proof against shitty passwords or real bad practices (like not running backups). As usual the most important factor is the quality of your admin, not the OS.
  • Re:Mirrors? (Score:5, Informative)

    by gearheadsmp (569823) on Wednesday August 13, 2003 @12:48PM (#6687166)
    Mirror [gnu.org], mirror [mirror.ac.uk] on the wall, who is the fastest of them all?
  • by passthecrackpipe (598773) * <passthecrackpipe ... GARcom minus cat> on Wednesday August 13, 2003 @12:54PM (#6687232)
    leaving out the profanities, this isn't flamebait, modders, the guy has got a good point. It will probably be modded down into oblivion, so i'll just be postin a mirror - i've got karma to burn anyhow.

    ****************

    Or maybe Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.

    Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.>br>
    *****************
  • by Oliver_Etchebarne (647762) on Wednesday August 13, 2003 @12:58PM (#6687293) Homepage Journal

    Do you had tried PureFTPD [pureftpd.org]? I'm newbie on Linux, and it was very easy to install and configure.

    This FTPD focus on security: Unlike other popular FTP servers, the number of root exploits found since the very first released version is zero. (taken from its [pureftpd.org] website)

  • by xenotrout (680453) on Wednesday August 13, 2003 @12:58PM (#6687297) Homepage Journal
    not according to netcraft [netcraft.com]
  • by Anonymous Coward on Wednesday August 13, 2003 @12:59PM (#6687306)
    MSBlaster hacked millions of computers WITHOUT human intervention.

    Linux IS SECURE. If people can't set it up, don't blame the OS.

    MS needs to get patched >>=====> CONSTANTLY.
  • Re:Mirrors? (Score:1, Informative)

    by Anonymous Coward on Wednesday August 13, 2003 @01:06PM (#6687388)
    ftp://cs.ubishops.ca/pub/ftp.gnu.org
  • by bkuhn (41121) on Wednesday August 13, 2003 @01:32PM (#6687695) Homepage
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    To the Free Software Community:

    Summary

    * gnuftp, the FTP server for the GNU project was root compromised.

    * After substantial investigation, we don't believe that any GNU
    source has been compromised.

    * To be extra-careful, we are verifying known, trusted secure
    checksums of all files before putting them back on the FTP site.

    Events Concerning Cracking of Gnuftp

    A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
    the FTP server of the GNU project. The machine appears to have been
    cracked in March 2003, but we only very recently discovered the crack.
    The modus operandi of the cracker shows that (s)he was interested
    primarily in using gnuftp to collect passwords and as a launching point to
    attack other machines. It appears that the machine was cracked using a
    ptrace exploit immediately after the exploit was posted on bugtraq.

    (For the ptrace bug, an root-shell exploit available on 17 March 2003, and
    a working fix was not available on linux-kernel until the following week.
    Evidence found on the machine indicates that were cracked during that
    week.)

    Given the nature of the compromise and the length of time the machine was
    compromised, we have spent the last few weeks verifying the integrity of
    the GNU source code stored on gnuftp. Most of this work is done, and the
    remaining work is primarily for files that were uploaded since early 2003,
    as our backups from that period could also theoretically be compromised.

    Historical Integrity Checks

    We have compared the md5sum of each source code file (such as .tar.gz, .tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data. The file,
    ftp://ftp.gnu.org/before-2003-08-01.md5sums .asc, contains a list of files
    in the format:

    MD5SUM FILE [REASON, ... REASON]

    The REASONs are a list of reasons why we believe that md5sum is good for
    that file. The file as a whole is GPG-signed.

    Remaining Files

    The files that have not been checked are listed in the root directory as
    "MISSING-FILES". We are in the process of asking GNU maintainers for
    trusted secure checksums of those files before we put them in place.

    We have lots of evidence now to believe that no source has been
    compromised -- including the MO of the cracker, the fact that every file
    we've checked so far isn't compromised, and that searches for standard
    source trojans turned up nothing.

    However, we don't want to put files up until we've had a known good source
    confirm that the checksums are correct.

    Alpha FTP Site

    The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
    us, but we plan to follow the same procedure there.

    - --
    Bradley M. Kuhn, Executive Director
    Free Software Foundation | Phone: +1-617-542-5942
    59 Temple Place, Suite 330 | Fax: +1-617-542-2652
    Boston, MA 02111-1307 USA | Web: http://www.gnu.org

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE/OnYb53XjJNtBs4cRAqplAJ95PHJhIwRiwjKBqSIx ZH SVlTOtxACgyouK
    QAfYhiLJcwPHio6fsk+s2uY=
    =DUMO
    - ----END PGP SIGNATURE-----
  • by molarmass192 (608071) on Wednesday August 13, 2003 @01:33PM (#6687712) Homepage Journal
    It was an exploit in wu-ftp, not Linux, the story even says it was an FTP exploit. So yes, it was an unpatched vulenrability, but no, it was not in Linux.
  • by jpetts (208163) on Wednesday August 13, 2003 @01:41PM (#6687794)
    This was modded as informative why? This is what it says on the FSF web site:


    A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
    the FTP server of the GNU project. The machine appears to have been
    cracked in March 2003, but we only very recently discovered the crack.
    The modus operandi of the cracker shows that (s)he was interested
    primarily in using gnuftp to collect passwords and as a launching point to
    attack other machines. It appears that the machine was cracked using a
    ptrace exploit immediately after the exploit was posted on bugtraq.
    (For the ptrace bug, an root-shell exploit available on 17 March 2003, and
    a working fix was not available on linux-kernel until the following week.
    Evidence found on the machine indicates that were cracked during that
    week.)
    Given the nature of the compromise and the length of time the machine was
    compromised, we have spent the last few weeks verifying the integrity of
    the GNU source code stored on gnuftp. Most of this work is done, and the
    remaining work is primarily for files that were uploaded since early 2003,
    as our backups from that period could also theoretically be compromised.
  • by prizog (42097) <novalis-slashdot&novalis,org> on Wednesday August 13, 2003 @01:43PM (#6687828) Homepage
    There are backups from before the crack.

    If you want to give FSF $64,000, we could hire someone to implement a better plan. But we're not made of money.
  • Re:ftp? (Score:3, Informative)

    by meshko (413657) on Wednesday August 13, 2003 @01:47PM (#6687874) Homepage
    because anonymous ftp is the best way to let people download files? ftp server [theoretically] is much simpler than HTTP server (apache) and therefore is more secure. In this particular case I don't think that the FTP server APPLICATION was compromised. I think the FTP server (as in "computer serving ftp requests") was compromised.
  • by mph (7675) <mph@freebsd.org> on Wednesday August 13, 2003 @01:48PM (#6687891)
    As a port maintainer and committer, I can confirm what you say. The recorded md5 signatures are for the distributed source archive (e.g. from ftp.gnu.org, or Sourceforge, or whatever). They are there to ensure that the source has not been tampered with.

    BSD-specific patches are then applied to the downloaded source, but have no implications for the md5 signature that's on file.

  • by pestilence4hr (652767) on Wednesday August 13, 2003 @01:51PM (#6687916)
    From http://ftp.gnu.org/MISSING-FILES.README

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    To the Free Software Community:

    Summary

    * gnuftp, the FTP server for the GNU project was root compromised.

    * After substantial investigation, we don't believe that any GNU
    source has been compromised.

    * To be extra-careful, we are verifying known, trusted secure
    checksums of all files before putting them back on the FTP site.

    Events Concerning Cracking of Gnuftp

    A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
    the FTP server of the GNU project. The machine appears to have been
    cracked in March 2003, but we only very recently discovered the crack.
    The modus operandi of the cracker shows that (s)he was interested
    primarily in using gnuftp to collect passwords and as a launching point to
    attack other machines. It appears that the machine was cracked using a
    ptrace exploit immediately after the exploit was posted on bugtraq.

    (For the ptrace bug, an root-shell exploit available on 17 March 2003, and
    a working fix was not available on linux-kernel until the following week.
    Evidence found on the machine indicates that were cracked during that
    week.)

    Given the nature of the compromise and the length of time the machine was
    compromised, we have spent the last few weeks verifying the integrity of
    the GNU source code stored on gnuftp. Most of this work is done, and the
    remaining work is primarily for files that were uploaded since early 2003,
    as our backups from that period could also theoretically be compromised.

    Historical Integrity Checks

    We have compared the md5sum of each source code file (such as .tar.gz, .tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data. The file,
    ftp://ftp.gnu.org/before-2003-08-01.md5sums .asc, contains a list of files
    in the format:

    MD5SUM FILE [REASON, ... REASON]

    The REASONs are a list of reasons why we believe that md5sum is good for
    that file. The file as a whole is GPG-signed.

    Remaining Files

    The files that have not been checked are listed in the root directory as
    "MISSING-FILES". We are in the process of asking GNU maintainers for
    trusted secure checksums of those files before we put them in place.

    We have lots of evidence now to believe that no source has been
    compromised -- including the MO of the cracker, the fact that every file
    we've checked so far isn't compromised, and that searches for standard
    source trojans turned up nothing.

    However, we don't want to put files up until we've had a known good source
    confirm that the checksums are correct.

    Alpha FTP Site

    The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
    us, but we plan to follow the same procedure there.

    - --
    Bradley M. Kuhn, Executive Director
    Free Software Foundation | Phone: +1-617-542-5942
    59 Temple Place, Suite 330 | Fax: +1-617-542-2652
    Boston, MA 02111-1307 USA | Web: http://www.gnu.org

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE/OnbO53XjJNtBs4cRAkZaAJ0ZdQ98ZNe4GRgAT2bR 4h BHRqo/aQCglWnU
    kmOLmrVCzPxrJ/S68R1q42w=
    =+pu6
    - ----END PGP SIGNATURE-----
  • Re:You're Kidding? (Score:5, Informative)

    by pongo000 (97357) on Wednesday August 13, 2003 @02:00PM (#6687992)
    You mean, an accounting like this [gnu.org]? Seems pretty detailed to me...
  • by stewby18 (594952) on Wednesday August 13, 2003 @02:00PM (#6688002)

    ...The machine appears to have been cracked in March 2003, but we only very recently discovered the crack.
    [snip]
    (For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.)
    Given the nature of the compromise and the length of time the machine was compromised, we have spent the last few weeks verifying the integrity of the GNU source code stored on gnuftp. Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised.

    (emphasis added). So in other words, they were cracked in the brief space between the exploit post and the patch, and didn't find it right away. Now, they are carefully vetting all their backups from that period to remove any possibility that a compromised backup could be redistributed.

    So, to answer your poorly-researched questions:

    • They have reliable backups of everything, except for those files which, due to their upload time, cannot possibly be considered secure
    • They are systematically verifying the reliability of the files where there could be any doubt

    Which part of this would you not consider a disaster recovery plan?

  • by bkuhn (41121) on Wednesday August 13, 2003 @02:14PM (#6688137) Homepage
    Yes, the crack was carried out by a local user. We don't know if it was a social engineer or someone who compromised an existing account.
  • Re:LOL!!! (Score:2, Informative)

    by Omar El-Domeiri (10568) <{slash} {at} {doesnotexist.com}> on Wednesday August 13, 2003 @02:15PM (#6688142)
    Dear god people, its not that they don't have backups... its that they feel the backups might be compromised as well.
  • Re:Mirrors? (Score:3, Informative)

    by wampus (1932) on Wednesday August 13, 2003 @02:22PM (#6688193)
    All the mirrors I've checked have placeholders.back-RSN.README, just like the ones at ftp.gnu.org.
    Looks like they don't know how long ago the break-in was, so they pulled the mirrors to be safe.
  • WTF? (Score:4, Informative)

    by MasTRE (588396) on Wednesday August 13, 2003 @02:39PM (#6688341)
    Neither the OP _nor_ the moderator think it important to note in front-page post that the box was compromised in _March_ 2003? Jeez, is this /. or -.?
  • Re:Correct MD5s (Score:2, Informative)

    by zangdesign (462534) on Wednesday August 13, 2003 @02:49PM (#6688412) Journal
    True security means trashing any possibly affected code and starting over from zero. It also means you find the person responsible and terminate his existence in a way that will make grown men cry.
  • Re:You're Kidding? (Score:5, Informative)

    by NoOneInParticular (221808) on Wednesday August 13, 2003 @03:10PM (#6688553)
    As some other posters in other threads noticed, the FSF does not have full backups because all backups made after early 2003 can be compromised. The crack happened in March, and what they miss is all the stuff that was uploaded after the crack. Backups from before March are available. In this situation no backup strategy at all would leave you with total security after March. The fact that the site was cracked five months ago is a bit scary though.
  • Re:Pointless (Score:3, Informative)

    by gearheadsmp (569823) on Wednesday August 13, 2003 @03:13PM (#6688576)
    True. But they certainly have more bandwidth for "hungry" Slashdotters. From what I understand, many of the missing non-Alpha-stage packages are available at most distro-specific mirrors, such as Debian, Gentoo, and in RPMS form.
  • by NoWhereMan (3539) on Wednesday August 13, 2003 @03:34PM (#6688754) Homepage Journal
    While I agree with the premise of the post

    The premise is wrong. Looks like neither of you read the explanation.

    (For the ptrace bug, a root-shell exploit was available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that gnuftp was cracked during that week.)

    This indicates that a patch was not available yet.

  • by dvdeug (5033) <dvdeug@[ ]il.ro ['ema' in gap]> on Wednesday August 13, 2003 @06:30PM (#6690203)
    the "no backups" just goes to show that poor sysadmin skills is not limited to proprietary platforms.

    It goes to show that listening to Anonymous Cowards isn't very wise; if you read the article, they have backups, but any backups of the system after it was hacked are nigh worthless.
  • UK Mirror Service (Score:4, Informative)

    by SamBC (600988) <s.barnett-cormack@lancaster.ac.uk> on Wednesday August 13, 2003 @07:06PM (#6690411)
    Well, I must say that I've never met Mustafa at work... the people who run the UK Mirror Service are, however, there for all to see on the UKMS Crew Page [mirror.ac.uk]

    In all seriousness, you have until some time tonight (on BST, which is UTC+1) before we should be fully synced, including any files that have been pulled, with the source site. There are some exceptions, but I don't think they will apply in this case. And if any files were compromised, they are compromised on our servers as well.

    WARNING: SHAMELESS PLUG: If you are a fan of the Mirror Service, or even just a user, please note the message on our homepage [mirror.ac.uk], as we are about to be able to serve even more users, at higher speeds.
  • by prizog (42097) <novalis-slashdot&novalis,org> on Wednesday August 13, 2003 @07:11PM (#6690451) Homepage
    We do have archival backups. But many packages were uploaded between when the machines were cracked and when we noticed the crack. That's mainly what we need.

    Our backup process is flawed, but that's because we can't afford good backup hardware.

In 1869 the waffle iron was invented for people who had wrinkled waffles.

Working...