Forgot your password?
typodupeerror

Debian Server Compromised 349

Posted by samzenpus
from the fox-in-the-henhouse dept.
Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."
This discussion has been archived. No new comments can be posted.

Debian Server Compromised

Comments Filter:
  • Oh no (Score:5, Funny)

    by Anonymous Coward on Wednesday July 12, 2006 @10:56PM (#15710188)
    Oh no, now they have access to all the Debian source!
  • by ModernGeek (601932) on Wednesday July 12, 2006 @10:58PM (#15710197) Homepage
    ...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.
    • by lawpoop (604919) on Wednesday July 12, 2006 @11:09PM (#15710240) Homepage Journal
      You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

      How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

      So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.
      • by The Bungi (221687) <thebungi@gmail.com> on Wednesday July 12, 2006 @11:15PM (#15710261) Homepage
        That's nice, but it's usually hard to prove a negative. How do you know RedHat or SUSE haven't been hacked? Because they haven't told you? How can you be sure?

        Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

      • by ModernGeek (601932) on Wednesday July 12, 2006 @11:19PM (#15710285) Homepage
        ...they aren't as grim as you may think. Soon enough, universities will be obsolete, and corporations will judge one based on open source contributions. If we all move aggressively toward this stance, the MCSEs will hit the road, and open source pioneers will rule the world of research, development, and jobs all funded by large corporations. All the source will be open, and the developers will work for companies like Verizon and the government as researchers. The same way that students pay universities to do the same thing for them, the difference is that the companies will pay you and you won't be paying a university. A large company that does not employ open source developers will be seen as bad in morale the same way a company is seen as bad for outsourcing manufacturing jobs to Mexico. If we take open source and ourselves seriously, all of this can happen. The old attitude of "don't use it if you don't like it" is going away, and things will be set straight if we push things forward.
      • if windowsupdate.microsoft.com were hacked, you can bet your ass there'd be a nice big banner stating so because that is the "golden egg" of hacks.
        • ...And a 'golden egg' like that would be shut down almost as soon as it goes up.

          Here's an even better prize for a hacker who can get into windowsupdate: a nice big banner across every windows computer that had been updated in the past week, perfectly synchronized across millions of computers all over the world.
          • Here is the best prize: The hacker has access to some percent of 99 percent of the machines connected to the internet. A rootkit install with a keylogger and file scanner can get you the keys to lots of insignificant machines. Some of them are going to have bank, social security and investment information. A hacker with any sense of greed is going to sell or already have sold this hack. It only requires the window of time from hacked to fixed to grab it all. Hacking windowsupdate would be the biggest
        • if windowsupdate.microsoft.com were hacked, you can bet your ass there'd be a nice big banner stating so because that is the "golden egg" of hacks.

          this is not the kind of hack anyone cares about. i don't care if someone posts a "frodo crew rulez" banner on some site - i do care if someone is putting compromised packages up that find their way onto my machines.

      • by YU Nicks NE Way (129084) on Wednesday July 12, 2006 @11:25PM (#15710311)
        You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right? In order to actually subvert the downloads, an attacker would not only need to take over the system, but would also need to sign the modified download with a Microsoft key. That's hard: the private keys for signing code are kept on a machine inside a SKIF. Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.

      • You used the example of a Debian server being hacked, with no other supporting facts, to say that Microsoft and corporate America are bad and open source is good.

        Thanks for the good propaganda example. Kids, are you paying attention?
      • Diverting attention from a problem by pointing out the flaws of others is not really helpful.

        Yeah, "we know what's going on", just as soon as somebody diffs a bazillion lines of code against a known-good repository. Until the Debian team announces that tidbit of info, the only security you have is the "false sense of" kind.
      • Your point about non-OSS being more of a "black box" because of commercial disincentives is OK, but you compared a Debian development machine to windowsupdate.microsoft.com which is stupid considering both that Debian and Microsoft sign their releases.

        This compromise is more like Microsoft's internal development network being compromised, which has happened.

        Unless, of course, the current compromise includes Debian's private key, which I doubt.
    • by Josh Triplett (874994) on Wednesday July 12, 2006 @11:15PM (#15710266) Homepage
      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs.

      No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.
    • by asuffield (111848) <asuffield@suffields.me.uk> on Thursday July 13, 2006 @02:28AM (#15710941)
      If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise?


      The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.

      The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.

      Goodness knows what this one was.
    • by Nik Picker (40521) on Thursday July 13, 2006 @02:36AM (#15710959) Homepage
      Converserly, We know nothing about the code we buy from propriatery developer nor do we ( or most likely they ) know anything about the code in the thridparty libraries that may have been included inthe purchased application. We know nothing about the security of the servers providing the updates nor the features included in those updates. We KNOW NOTHING. Yet we accept , almost glibly, the stanards and security of those systems accepting that since its for enterprise it must me more reliable.

      So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.

      it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.

    • by zCyl (14362) on Thursday July 13, 2006 @03:08AM (#15711034)
      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

      If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...
    • Declouding some FUD (Score:3, Informative)

      by cortana (588495)

      first [in 2003] we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

      http://www.debian.org/News/2003/20031121 [debian.org]

      The archive is not affected by this compromise!

      The vulnerability they were hit by was a previously unknown vulnerability in the kernel [slashdot.org].

  • No fear... (Score:5, Funny)

    by gravyface (592485) on Wednesday July 12, 2006 @11:00PM (#15710206)
    It's Debian... they found an old DAT tape from three years ago, restored it, and realised that nothing's changed in the source tree. *ducks*
    • by the_humeister (922869) on Wednesday July 12, 2006 @11:40PM (#15710373)
      And after recovering the DAT tape from the safe-deposit box at the bank, they went to the ATM machine and entered their PIN numbers to get some money.
      • by identity0 (77976)
        See, if they'd kept the source code on an Microsoft MS Windows machine with NT Technology and NTFS Filesystem, they would have been completely safe. Heck, they could have even placed it on a IBM Machine on a Wireless Wi-Fi hotspot at a Starbucks, with all the code on a USB Bus memory stick, and no one would have been able to touch it!

        I know people around here swear by the GPL Licenced Linux Unix or the BSD Distribution, but we must admit we have been defeated. I, for one, welcome our Debian-cracking overlor
  • by Anonymous Coward on Wednesday July 12, 2006 @11:02PM (#15710212)
    Aw man, that's too bad. I think we should all wish the Debian team g'luck.
  • Perhaps now. (Score:2, Insightful)

    by DAldredge (2353)
    Perhaps now they will spend less time griping about Ubuntu and more time working on their security.

  • Question (Score:5, Interesting)

    by Frogbert (589961) <frogbertNO@SPAMgmail.com> on Wednesday July 12, 2006 @11:10PM (#15710243)
    I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?
    • Re:Question (Score:5, Informative)

      by Nutria (679911) on Wednesday July 12, 2006 @11:21PM (#15710293)
      I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

      http://www.debian.org/security/ [debian.org]

      Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.

      • Re:Question (Score:5, Insightful)

        by macemoneta (154740) on Wednesday July 12, 2006 @11:54PM (#15710425) Homepage
        I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).

        I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.
  • The "unstable" distribution is where active development of Debian occurs. Generally, this distribution is run by developers and those who like to live on the edge.

    That's what you get for running UNSTABLE :)

  • by b3x (586838) on Wednesday July 12, 2006 @11:30PM (#15710338) Journal
    and move that source repository to a more secure Windows 2003 Server platform.
  • obligatory: (Score:5, Funny)

    by Anonymous Coward on Wednesday July 12, 2006 @11:32PM (#15710347)
    I felt a great disturbance in the Force, as if millions of nerds suddenly cried out in terror and were suddenly silenced.
  • That's one reason why I like Ubuntu's Update Manager: it shows the changelog for each package it's offering to upgrade. And one reason why the recent lack of changelogs is troubling.

    Of course an attacker could fake changelogs, though it's an extra step. It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades. Debian's apt (and its descendants, like Ubuntu) seem perfectly suited for automating such authentication without addin
    • Re:Changelogs (Score:5, Informative)

      by uhoreg (583723) on Thursday July 13, 2006 @12:00AM (#15710454) Homepage
      Changelogs don't provide any form of security, and package changelogs have been standard in Debian since many, many years ago. (Long before Ubuntu was a gleam in Mark Shuttleworth's eye.) Changelogs should only be treated as a convenience to the user.

      And apt supports GPG signing of the Release file, which contains an MD5 and SHA-1 hash of the Packages file, which contains MD5 hashes of the packages. (In other words, apt already does package integrity checking.)
      • There is no explicit security in the changelogs. As I pointed out, faking changelogs is just an inconvenience to an attacker, but it is more than "nothing".

        The lack of changelogs I mentioned was occasional, in the Ubuntu Update Manager.

        And including the signing in the Update Manager GUI would add security to the process.

        If you were less smug about the apt features you might be more interested in the lack of their implementation in Ubuntu, where they would do some good. Even if Ubuntu isn't operating on more
        • Re:Changelogs (Score:3, Informative)

          by uhoreg (583723)

          As I pointed out, faking changelogs is just an inconvenience to an attacker, but it is more than "nothing".

          It may be slightly better than nothing, but it isn't that much better that it's worth mentioning. Any attacker who knows enough to build a fake .deb package will know enough to put something in the changelog, and it may add maybe a minute to the attack.

          If you were less smug about the apt features you might be more interested in the lack of their implementation in Ubuntu

          Ubuntu uses apt for update

    • Re:Changelogs (Score:4, Informative)

      by SnowZero (92219) on Thursday July 13, 2006 @12:01AM (#15710457)
      It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades.

      Debian has been checking digital signatures on every package installed for almost a year now. See here [debian-adm...ration.org].

      Of course, I run testing, so I have no idea when this got into stable.
      • Does Ubuntu? Its GUIs like Update Manager allow extra features without extra user complexity, as I mentioned. But I don't see signing features - yet.
  • by paulmer2003 (922657) on Wednesday July 12, 2006 @11:43PM (#15710379)
    Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.
    • by Anonymous Coward
      Does anyone know what in particular was exploited?

      Not public information yet. If you're subscribed to debian-devel-announce [debian.org], you'll be the first to know.

    • by keeboo (724305)
      The announcement says:

      We're still investigating exactly what happened and the extent of the damage.
      We'll post more info as soon as we reasonably can.


      If the ones affected can't say, who can then.
      (yeah, yeah... "the ones who attacked the server").
    • Can be many things.

      This is a machine to which nearly all debian developers have some form of access.
  • by ATAMAH (578546)
    Why is it "cooler" to compromise a server than it is to find and report a vulnerability?
    And, if one is so set on doing some damage - why go after a free service??
  • Dear Hackers (Score:3, Interesting)

    by SnowZero (92219) on Thursday July 13, 2006 @12:16AM (#15710522)
    Dear Hackers,

    If you manage to hack into the main repository, please fix this bug [debian.org]. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.

    If you hack, do it for the right reasons.
  • ...Anybody who didn't understand the real meaning of "compromise" needs to re-read the article, substituting "compromised" with "rooted." The attackers didn't kill the server or knock out a service. They rooted the box, and the Debian devs are trying to cover themselves somewhat by ambiguating the exact nature of the attack.
    • by Anonymous Coward

      Yes, at risk of stating the obvious, you stated the obvious. It's unfair to claim that Debian developers are "trying to cover themselves somewhat" just because they didn't state the obvious.

  • So is it reasonable to assume that the services that were running: (cvs, ddtp, lintian, people, popcon, planet, ports, release), and are no longer available on debian's machines are to blame for the compromise? Can I feel safe if these services aren't running on my box and only port 80 is exposed?

  • Why all the flak? (Score:5, Insightful)

    by Dryanta (978861) on Thursday July 13, 2006 @12:30AM (#15710572) Journal
    Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!
    • by HiThere (15173) *
      Why all the flak?

      Because heros aren't allowed to have flaws. Read your Greek myths. If a hero is found to have a flaw, he will be destroyed. (P.S.: They are all found to be flawed.)
  • Or, for everyone else

    That which does not kill you, makes you stronger

    --Friedrich Nietzsche

  • by Urban Garlic (447282) on Thursday July 13, 2006 @04:11PM (#15714492)
    For anyone still following this story all these hours later, there's a new post on debian-news with a bit more detail about what happened here [debian.org].

    The short version is, it was a privilege-escalation exploit triggered from a compromised user account, the server in question is now restored, but several others are locked down pending inspection. Also, it says the regular and security archives were not in danger. The exploit was a known issue in the 2.6.16.18 kernel running on gluck at the time of the exploit.

    Interestingly, the window between the compromise and the lockdown was less than two hours.

Philogyny recapitulates erogeny; erogeny recapitulates philogyny.

Working...