Debian server compromise

Posted by Steve on Wed 12 Jul 2006 at 19:14

Tags: , ,

Several people have asked for information about the unavailability of one of the Debian projects main servers, gluck. This machine has been taken offline due to being compromised.

This is not the first time that a machine has been compromised, the last time was in November 2003. Then the compromise was detected via the use of a filesystem integrity checker, right now we don't know how this intrusion was detected.

So far the details available are pretty brief, as you can see in the following announcement message:

Hopefully more details will be made available after the cleanup, as promised in the message. The last compromise was the result of a sniffed password and a previously unknown vulnerability in the GNU/Linux kernel - I hope this time there isn't another zero-day floating around.

In the meantime the following services are disabled/unavailable:

  • Debian Developers Webpages, (http://people.debian.org/~foo/)
  • Debian Lintian reports.
  • Planet Debian
  • Debian CVS server.
  • Debian Releases
  • Debian Ports
  • Debian Releases

More updates as they happen..

Add Comment XML logo Printable version

 

<<< A professional mail server with qmail and vpopmail Mitigating against recent GNU/Linux kernel bugs >>>

 

 

#
Re: Debian server compromise
Posted by rojoverde88 (206.15.xx.xx) on Wed 12 Jul 2006 at 21:01
[ Send Message ]
(thanks) Outage news .equals. Useful news :
SYSADMIN TIP : sometimes I toggle between "ftp.debian.org" and "ftp.de.debian.org" in /etc/apt/sources.list to get updated DEB packages when there are Server outages.

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Anonymous (62.244.xx.xx) on Wed 12 Jul 2006 at 23:54
Debian Sarge - "stable"? No! _it_ should be called "woody". No jokes. Only backports from "unstable" helps. But in this case "Sarge" is no more "stable" - when most of the packages from "unstable". This is a mess :(

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Thu 13 Jul 2006 at 06:17
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Your comment makes no sense.

Steve

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by chris (217.8.xx.xx) on Thu 13 Jul 2006 at 09:12
[ Send Message | View Weblogs ]
Didn't understand it either

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by chris (217.8.xx.xx) on Thu 13 Jul 2006 at 09:14
[ Send Message | View Weblogs ]
Not sure about the other services - but Planet Debian appears to be back.

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Seaslug (203.144.xx.xx) on Thu 13 Jul 2006 at 10:35
[ Send Message | View Weblogs ]
Repositories weren't affected. Developer's CVS was hit, though.

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Anonymous (82.130.xx.xx) on Thu 13 Jul 2006 at 14:40
Why "Tags: CVE-2006-2451" in this article. Is it this CVE the cause?

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Thu 13 Jul 2006 at 21:16
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Yes.

See this thread for the postmortem, and marvel at my powers of prediction ;)

Steve

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by kamaraju (128.253.xx.xx) on Thu 13 Jul 2006 at 15:10
[ Send Message ]
I cant help but think "how often do M$ servers get compromised"? Is this information something that is made available to the public? Is it more often than Debian servers? Just wondering and do not want to raise any flamewars!

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Fri 14 Jul 2006 at 10:03
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Well I guess it depends one what you mean by compromise.

Over the years they've:

  • Lost control of hotmail.com
  • Had a false verisign certifcate generated by an outsider.
  • Had several websites they control defaced.
  • Had source code leaks

Still they've not had any compromise of their download services that we know about.

I guess their internal systems could have been taken down by Sasser, et al, and we'd never know..

Steve

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Kellen (82.32.xx.xx) on Thu 13 Jul 2006 at 21:55
[ Send Message | View Weblogs ]
Steve,
Do you know why this machine was running a 2.6 kernel? Shouldn't it be happily living in uberstableland?

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Thu 13 Jul 2006 at 22:01
[ Send Message | View Steve's Scratchpad | View Weblogs ]

No idea I'm afraid.

Decisions like that are really the realm of the Debian System Administrator team..

Steve

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Anonymous (213.164.xx.xx) on Fri 14 Jul 2006 at 14:53
They needed a later kernel to support their hardware.

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Anonymous (201.1.xx.xx) on Tue 18 Jul 2006 at 00:53
they could use BSD =]

[ Parent | Reply to this comment ]

#
Re: Debian server compromise
Posted by Anonymous (213.113.xx.xx) on Sat 8 Dec 2007 at 22:48
They *should* use BSD :P

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Your version control software of choice is




( 837 votes ~ 9 comments )

 

 

Related Links