FSF FTP Site Cracked, Looking for MD5 Sums 752
landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has
a statement
on the FTP site explaining the matter.
ouch, saw this yesterday (Score:4, Informative)
Lot'sa files (Score:1, Informative)
Eek!
BSD Ports trees should have them (Score:5, Informative)
Re:BSD Ports trees should have them (Score:5, Informative)
Late news (Score:2, Informative)
Re:Well that's good and all, but (Score:5, Informative)
Re:Wait? I thought Linux was Secure?? (Score:2, Informative)
Not 100%, but 99.9%, sure.
Re:Can someone please tell me... (Score:3, Informative)
Comment removed (Score:5, Informative)
Re:the $64,000 question: (Score:2, Informative)
****************
Or maybe Linux isn't some sort of magical bug free OS where every buffer is checked, every race condition averted, and every service that runs on it is guaranteed bug free.
Good God. The fact you can post that comment...no. You're just too much of an unthinking hero-worshipping idiot for me to finish. Yes, it was an inside job or a weak password. Anything except a vulnerability. Yes.>br>
*****************
Re:wuftpd is trouble, use ProFTPD (Score:2, Informative)
Do you had tried PureFTPD [pureftpd.org]? I'm newbie on Linux, and it was very easy to install and configure.
This FTPD focus on security: Unlike other popular FTP servers, the number of root exploits found since the very first released version is zero. (taken from its [pureftpd.org] website)
Re:Wait? I thought Linux was Secure?? (Score:2, Informative)
Hacking ONE system does not mean shit (Score:1, Informative)
Linux IS SECURE. If people can't set it up, don't blame the OS.
MS needs to get patched >>=====> CONSTANTLY.
Re:Mirrors? (Score:1, Informative)
Status update from FSF on GNU FTP site crack (Score:4, Informative)
Hash: SHA1
To the Free Software Community:
Summary
* gnuftp, the FTP server for the GNU project was root compromised.
* After substantial investigation, we don't believe that any GNU
source has been compromised.
* To be extra-careful, we are verifying known, trusted secure
checksums of all files before putting them back on the FTP site.
Events Concerning Cracking of Gnuftp
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Historical Integrity Checks
We have compared the md5sum of each source code file (such as
ftp://ftp.gnu.org/before-2003-08-01.md5sums
in the format:
MD5SUM FILE [REASON,
The REASONs are a list of reasons why we believe that md5sum is good for
that file. The file as a whole is GPG-signed.
Remaining Files
The files that have not been checked are listed in the root directory as
"MISSING-FILES". We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.
We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.
However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.
Alpha FTP Site
The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.
- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/OnYb53XjJNtBs4cRAqplAJ95PHJhIwRiwjKBqSIx ZH SVlTOtxACgyouK
QAfYhiLJcwPHio6fsk+s2uY=
=DUMO
- ----END PGP SIGNATURE-----
Re:the $64,000 question: (Score:3, Informative)
Re:Well that's good and all, but (Score:4, Informative)
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Re:the $64,000 question: (Score:5, Informative)
If you want to give FSF $64,000, we could hire someone to implement a better plan. But we're not made of money.
Re:ftp? (Score:3, Informative)
Re:BSD Ports trees should have them (Score:5, Informative)
BSD-specific patches are then applied to the downloaded source, but have no implications for the md5 signature that's on file.
Enough speculation -- here's the story (Score:2, Informative)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To the Free Software Community:
Summary
* gnuftp, the FTP server for the GNU project was root compromised.
* After substantial investigation, we don't believe that any GNU
source has been compromised.
* To be extra-careful, we are verifying known, trusted secure
checksums of all files before putting them back on the FTP site.
Events Concerning Cracking of Gnuftp
A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project. The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit immediately after the exploit was posted on bugtraq.
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and
a working fix was not available on linux-kernel until the following week.
Evidence found on the machine indicates that were cracked during that
week.)
Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp. Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.
Historical Integrity Checks
We have compared the md5sum of each source code file (such as
ftp://ftp.gnu.org/before-2003-08-01.md5sums
in the format:
MD5SUM FILE [REASON,
The REASONs are a list of reasons why we believe that md5sum is good for
that file. The file as a whole is GPG-signed.
Remaining Files
The files that have not been checked are listed in the root directory as
"MISSING-FILES". We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.
We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.
However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.
Alpha FTP Site
The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.
- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/OnbO53XjJNtBs4cRAkZaAJ0ZdQ98ZNe4GRgAT2bR 4h BHRqo/aQCglWnU
kmOLmrVCzPxrJ/S68R1q42w=
=+pu6
- ----END PGP SIGNATURE-----
Re:You're Kidding? (Score:5, Informative)
RTFA: There *are* backups, and they *did* patch (Score:5, Informative)
[snip]
(For the ptrace bug, an root-shell exploit available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that were cracked during that week.)
Given the nature of the compromise and the length of time the machine was compromised, we have spent the last few weeks verifying the integrity of the GNU source code stored on gnuftp. Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised.
(emphasis added). So in other words, they were cracked in the brief space between the exploit post and the patch, and didn't find it right away. Now, they are carefully vetting all their backups from that period to remove any possibility that a compromised backup could be redistributed.
So, to answer your poorly-researched questions:
Which part of this would you not consider a disaster recovery plan?
Re:Status update from FSF on GNU FTP site crack (Score:5, Informative)
Re:LOL!!! (Score:2, Informative)
Re:Mirrors? (Score:3, Informative)
Looks like they don't know how long ago the break-in was, so they pulled the mirrors to be safe.
WTF? (Score:4, Informative)
Re:Correct MD5s (Score:2, Informative)
Re:You're Kidding? (Score:5, Informative)
Comment removed (Score:3, Informative)
Bzzzt! Both of you are wrong (Score:2, Informative)
The premise is wrong. Looks like neither of you read the explanation.
(For the ptrace bug, a root-shell exploit was available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that gnuftp was cracked during that week.)
This indicates that a patch was not available yet.
Re:Of course, if this was a MS site that was (Score:3, Informative)
It goes to show that listening to Anonymous Cowards isn't very wise; if you read the article, they have backups, but any backups of the system after it was hacked are nigh worthless.
UK Mirror Service (Score:4, Informative)
In all seriousness, you have until some time tonight (on BST, which is UTC+1) before we should be fully synced, including any files that have been pulled, with the source site. There are some exceptions, but I don't think they will apply in this case. And if any files were compromised, they are compromised on our servers as well.
WARNING: SHAMELESS PLUG: If you are a fan of the Mirror Service, or even just a user, please note the message on our homepage [mirror.ac.uk], as we are about to be able to serve even more users, at higher speeds.
Re:the $64,000 question: (Score:3, Informative)
Our backup process is flawed, but that's because we can't afford good backup hardware.