This site is now 100% read-only, and retired.

Debian server compromise

Posted by Steve on Wed 12 Jul 2006 at 19:14

Several people have asked for information about the unavailability of one of the Debian projects main servers, gluck. This machine has been taken offline due to being compromised.

This is not the first time that a machine has been compromised, the last time was in November 2003. Then the compromise was detected via the use of a filesystem integrity checker, right now we don't know how this intrusion was detected.

So far the details available are pretty brief, as you can see in the following announcement message:

Hopefully more details will be made available after the cleanup, as promised in the message. The last compromise was the result of a sniffed password and a previously unknown vulnerability in the GNU/Linux kernel - I hope this time there isn't another zero-day floating around.

In the meantime the following services are disabled/unavailable:

  • Debian Developers Webpages, (http://people.debian.org/~foo/)
  • Debian Lintian reports.
  • Planet Debian
  • Debian CVS server.
  • Debian Releases
  • Debian Ports
  • Debian Releases

More updates as they happen..

 

 


Re: Debian server compromise
Posted by suspended user rojoverde88 (206.15.xx.xx) on Wed 12 Jul 2006 at 21:01
(thanks) Outage news .equals. Useful news :
SYSADMIN TIP : sometimes I toggle between "ftp.debian.org" and "ftp.de.debian.org" in /etc/apt/sources.list to get updated DEB packages when there are Server outages.

[ Parent ]

Re: Debian server compromise
Posted by Anonymous (62.244.xx.xx) on Wed 12 Jul 2006 at 23:54
Debian Sarge - "stable"? No! _it_ should be called "woody". No jokes. Only backports from "unstable" helps. But in this case "Sarge" is no more "stable" - when most of the packages from "unstable". This is a mess :(

[ Parent ]

Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Thu 13 Jul 2006 at 06:17
[ View Weblogs ]

Your comment makes no sense.

Steve

[ Parent ]

Re: Debian server compromise
Posted by chris (217.8.xx.xx) on Thu 13 Jul 2006 at 09:12
[ View Weblogs ]
Didn't understand it either

[ Parent ]

Re: Debian server compromise
Posted by chris (217.8.xx.xx) on Thu 13 Jul 2006 at 09:14
[ View Weblogs ]
Not sure about the other services - but Planet Debian appears to be back.

[ Parent ]

Re: Debian server compromise
Posted by Seaslug (203.144.xx.xx) on Thu 13 Jul 2006 at 10:35
[ View Weblogs ]
Repositories weren't affected. Developer's CVS was hit, though.

[ Parent ]

Re: Debian server compromise
Posted by Anonymous (82.130.xx.xx) on Thu 13 Jul 2006 at 14:40
Why "Tags: CVE-2006-2451" in this article. Is it this CVE the cause?

[ Parent ]

Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Thu 13 Jul 2006 at 21:16
[ View Weblogs ]

Yes.

See this thread for the postmortem, and marvel at my powers of prediction ;)

Steve

[ Parent ]

Re: Debian server compromise
Posted by kamaraju (128.253.xx.xx) on Thu 13 Jul 2006 at 15:10
I cant help but think "how often do M$ servers get compromised"? Is this information something that is made available to the public? Is it more often than Debian servers? Just wondering and do not want to raise any flamewars!

[ Parent ]

Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Fri 14 Jul 2006 at 10:03
[ View Weblogs ]

Well I guess it depends one what you mean by compromise.

Over the years they've:

  • Lost control of hotmail.com
  • Had a false verisign certifcate generated by an outsider.
  • Had several websites they control defaced.
  • Had source code leaks

Still they've not had any compromise of their download services that we know about.

I guess their internal systems could have been taken down by Sasser, et al, and we'd never know..

Steve

[ Parent ]

Re: Debian server compromise
Posted by Kellen (82.32.xx.xx) on Thu 13 Jul 2006 at 21:55
[ View Weblogs ]
Steve,
Do you know why this machine was running a 2.6 kernel? Shouldn't it be happily living in uberstableland?

[ Parent ]

Re: Debian server compromise
Posted by Steve (62.30.xx.xx) on Thu 13 Jul 2006 at 22:01
[ View Weblogs ]

No idea I'm afraid.

Decisions like that are really the realm of the Debian System Administrator team..

Steve

[ Parent ]

Re: Debian server compromise
Posted by Anonymous (213.164.xx.xx) on Fri 14 Jul 2006 at 14:53
They needed a later kernel to support their hardware.

[ Parent ]

Re: Debian server compromise
Posted by Anonymous (201.1.xx.xx) on Tue 18 Jul 2006 at 00:53
they could use BSD =]

[ Parent ]

Re: Debian server compromise
Posted by Anonymous (213.113.xx.xx) on Sat 8 Dec 2007 at 22:48
They *should* use BSD :P

[ Parent ]