FSF FTP Site Cracked, Looking for MD5 Sums

landley writes "The Free Software Foundation's FTP site at ftp.gnu.org has been "compromised", and they don't seem to have full backups. They've yanked a bunch of recent packages (and their whole alpha.gnu.org ftp site), and when I asked about it they responded 'Our FTP server was compromised, yes. We are beginning to find good MD5sums for files which have not yet been restored, and they will be available again Real Soon Now. If you can provide MD5sums for any of the files listed in MISSING-FILES, it would be very much appreciated.' " Update the FSF has a statement on the FTP site explaining the matter.

Mirrors?

[ryan76]

Are there no mirrors of this site?

Any word on how the crackers got in?

[Squeezer]

how did the crackers break into the ftp site? anyone know?

Well that's good and all, but

[dodell]

How was the site cracked? What have they done to patch it? Was it GNU software? :-D Are they writing patches for this software? MORE NEWS.

This pisses me off more than it should.

[Deadbolt]

Okay, this kind of shit makes me want to start throwing bricks. Cracking the GNU FTP server? Is nothing sacred anymore? I feel like someone burned down a church.

They've done so much for humanity and some utter twit decides to compensate for his bad childhood by taking their server down.

*goes off to dock another point from his faith in humanity*

Re:Can someone please tell me...

[Planesdragon]

Was he lying?

Only as much as a priest of a false religion is lying.

Microsoft servers _do_ get hacked more than Linux servers, but this is because there are far more MS servers of an identical configuration than there are Linux servers. They also tend to crash more--especially IIS.

So, Linux does get hacked, and there have been viruses written for Linux--but there are far far more hackers and virus-writers aimed at MS Windows as opposed to Linux.

Re:the $64,000 question:

[saskwach]

Actually, this vulnerability had already been patched, just not on this particular server.

iSEC Security Research reports that wu-ftpd contains an off-by-one bug in the fb_realpath function which could be exploited by a logged-in user (local or anonymous) to gain root privileges. A demonstration exploit is reportedly available.

and patched August 31, 2003

LOL!!!

[Dysan2k]

I have to admit, it's kinda funny. Firstly, NO one has posted what the heck FTP server they were using (which might be helpful to determine if it was a security hole.) Secondly, 'bout time this happened to one of the distributer sites. Though, a Linux bigot I may be, no OS (that I've seen) is 100% secure.

Now, MAYBE gnu will decide to write a GOOD automated backup system for no other reason than keeping their junk together. (and don't give me that tar crap. I know perfectly well what it's capable of. I want an OSS equiv to NetBackup) No backups! That's hilarious!! I wanna know what kinda beating the current admin is getting!

Well, hopefully they'll be able to get it pieced back together now. I'm sure it won't take more than a day to do so. Heck, I'll email my LUG and let the Deb folks spin MD5sums for a while to send over to 'em.

Enjoy the chaos! (Least only 1 person has managed to link this to SCO so far)

Re:Wait? I thought Linux was Secure??

[rokzy]

I like the idea of linux, and MS pisses me off, but am too ignorant to be a true geek...

but it seems to me that there's no meaningful comparison between an individual linux system being specifically attacked (maybe not even remotely) and brought down... and... every single XP computer with internet connection being susceptible by default to MSBlast... ?

Re:You're Kidding?

[Anonymous Coward]

Don't confuse coding with operations. Coders don't necessarily (sp?) make the best system/network managers, and vice-versa. Well, that's what I observed in ~16 years working in IT.

This being said, I guess we can say that the cliche "the cobbler's children run barefoot" really applies here...

Re:Have a floppy?

[Uruk]

I don't think it's that easy. What would prevent an attacker from modifying the md5sums that were present with the machine so that the backup then contained the modified md5sums of the trojaned applications?

No, the best solution is to have a separate, offline copy of known good md5sums to compare against. Ones that came directly from the developer, preferrably signed by the developer's GPG key [gnupg.org].

No you're not

[FooBarWidget]

No you're not. You're not supposed to trust the FSF, you're supposed to trust commercial distributors like RedHat.
The FSF is the Free Software Foundation. They don't exist to help your business, they exist to provide... well... Free Software.

Whatever happens to FSF's own servers is completely irrelevant. Your distributor is the only thing that matters.

how cracker got in

[latroM]

What I have heard in irc the cracker had user level access to system and used linux ptrace bug to gain root. It is sad that this happened. Cracker probably used at least some of GNU tools to do his work.

Re:Wait? I thought Linux was Secure??

[JeffTL]

Okay, then it is likely a vulnerability, in which case I hope it is fixed soon; consider my words eaten. Vulnerabilities are ALWAYS worth noting, because though you can never find them all, the ones that are found can be sealed.

Probably mentioned, but

[lemming552]

This just shows that anything can be broken whether Windows or other OS.
I'm surprised that they're backup scheme was this shoddy. Possibly something where they didn't save back far enough to be sure, or something fairly recent that can't be verified as non-hacked in their backups.
Of course, I'd be wary of any MD5dsums sent in unless sent in from various verified sources. Of course they might not be trusting their own MD5sums and want to verify from the outside as well?
Certainly a black eye for the FSF, but I'm sure they'll learn a lesson from this in any case.

Re:BSD Ports trees should have them

[lactose99]

As I'm not a port maintainer (just an active user) so I cannot authoritatively answer this question, but based on my experience with the ports I have installed, the MD5SUMs are for the actual packages downloaded from ftp.gnu.org. BSD- or package-specific patches are applied to the software compilation after the MD5SUMs are checked, as the patches themselves generally have a seperate MD5SUM that they are checked against.

Re:You're Kidding?

[Kevin DeGraaf]

Unbelievable. And I'm supposed to trust their methods and products with my enterprise?

What's unbelievable is the blatant stupidity of that statement.

Sure, this incident demonstrates that the person(s) in charge of the maintenance of ftp.gnu.org is/are incomptent. How you extrapolate from that to reach the conclusion that hundreds of GNU programs written and maintained by thousands of programmers are therefore sub-par, especially since these tools have been continually refined and perfected over the last decade or so and are objectively much better than those from any corporate vendor, is the truly incomprehensible matter.

Enterprise my ass, anyway.

FTP (the protocol) is NOT the problem.

[MartinG]

ftp as a protocol is far simpler to implement than ssh2 for example, so if you have no authentication to do, use ftp.

Using ssl is good if you have eg. passwords to hide, but other than that it just introduces complexity. more complexity tends to mean more possibility for bugs, which means more possible exploits.

However, don't use bloated, over-complicated stuff like wuftpd etc. something like vsftpd is /much/ better. its very simple and designed from scratch to be secure above all else. afaik it has never had a security bug found, and I would say is as close to secure as it is possible to be.

FSF systems

[devphil]

They do have more than one sysadmin, but none of them are full-time, I believe.

There are also some "interesting" schools of thought regarding security over in gnu.org land, and I'm sure there's tension between them as well. For example, savannah has to have some level of security, but their shell machine (not savannha) has almost zero "sysadmin-added" security: important configuration files are world-writable[*], because RMS doesn't believe in restricting individual actions of users on that machine. The only security is what's provided by the default installation, minus the world-writabilities.

So it should come as no suprise that the shell machine has been compromised multiple times. All from local users exploiting holes. The most recent was done in April, but they didn't find out about it until a few weeks ago. They're still recreating accounts.

I don't know about the ftp machine; I assume it's neither the same system as savannah nor the shell box. But it wouldn't surprise me to find the same situation: some important people gnu.org don't believe in locking down machines, some important people do, but (gripping hand) it almost doesn't matter because none of them have the time to do so.

(If you wonder why the GCC manuals, web pages, etc, on {savannha,www,ftp}.gnu.org are occasionally out of date, it's because gcc.gnu.org (the master) is not admin'd by the same group. Events like this are why it's not admin'd by the same group.)

[*] Backups are done by having little Emacs hooks in comments in the files. When you edit the file -- and of COURSE you're using GNU/FSF Emacs, not XEmacs or any other editor in the world, cuz it's a gnu.org machine -- Emacs knows to make backup copies. I have no idea whether real backups are done, or how.

Re:FSF systems

[IM6100]

Historically, Richard Stallman was one of the hackers at MIT who actively opposed the impostion of passwords on the Unix account logins. He and other hackers like him at the time opposed passwords because they believed in a community of sharing and openness. They refused to put passwords on their accounts for as long as possible.

Re:And the internet shall be your tape backup

[gregarican]

They would be mirrors of the same compromised data, genius. If you'd have bothered to RTFA you'd see they backed up. But since the site was been compromised since 3/2003 the datasets backed up aren't 100% "clean".

The question isn't whether BSD is dying...

[aphor]

The question isn't whether BSD is dying but whether people keep going back and realizing/appreciating all the elegance and cleverness in BSD's evolution. Sure, its dying, but it's constantly reincarnating too, isn't it!

Post a reply if you would like me to send you an RPM for a Red Hat compatible PORTS tree...

No really: I have lots of old FreeBSD CDROMs with a veritable history of (the best) GNU software and MD5 sums. I can go back to FreeBSD 2.2.2. Check your timeline. BSD subscribers save the day HA!

Re:Wait? I thought Linux was Secure??

[GigsVT]

It was fixed months ago. It was the local root ptract exploit.

The only reason they got cracked was because they allowed local shell accounts, and due to questionable reporting practices, an exploit was released before linux kernel people had a chance to fix it.

Re:How Long

[volkerdi]

Also nicely demonstrates the pointlessness (and stupidity) of serving out your MD5sums from the same machine.

MD5 sums are only secure if they are provided through a secure channel (like within a GPG-signed message). Using a second machine to serve out the MD5 sums is only twice as safe (two machines to crack), and that's still not too safe.

What I wonder is why they didn't sign accepted packages with GPG. I've been doing that for a while (well, since breaking-and-trojaning became fashionable).

I hope when ftp.gnu.org comes back that it's with *.asc files next to all the archives...

Re:the $64,000 question:

[slackingme]

I wrote a quick paper blowing away most people who jump in with ".. should ahve run OBSD! Most securister ever!! Rahh!" You can read it
here. [darktech.org] I'd like people to contribute reasons they think OpenBSD is "the bestest thing for security since the NRA!!!!" and such. Contact information are at the top of the piece, have fun.

I just crawled out of a bad karma slump, and here I go getting myself back into it..