Hi, On August 25, genesis was root compromised. I discovered this issue a few days after the incident. I wanted to keep back details till I was sure I know what happened, thanks to Romain Wartel (CERN Security Team) and Leif Nixon (Security officer, Swedish National Infrastructure for Computing) for helping in finding out the details.
What happened? The password of Krisztian (user name: iron) was stolen (the details are not clear yet) and the attacker used his password to ssh to the machine from a Dutch (already compromised) host, then it used sudo (it could, as he and me have sudo on that machine) to get root access, and installed a rootkit (the one used in the now-well-known kernel.org attack as well), which could be noticed in dmesg and the changed sha1sum of the sshd binary. It's obvious that the password of Krisztian was stolen, but as a consequence of the above it's possible that the attacker obtained the password and/or the private ssh keys of other users as well. I already reinstalled the machine, so please, in case you had a full shell (not a restriced one, what most new developers get), change your private ssh key, if you stored one there. If you had a restriced shell, then you could not store any private ssh keys, so there is nothing to do for you. To prevent the above happening again, I now disabled password-based authentication via ssh, I don't think it was used too frequently anyway. (If you used it and now you can't login, then mail me a new public ssh key.) Sorry for the bad news and for the delay, but I did not want to publish details before I was aware how the attacker got in and how did it get root access. (So now we know it wasn't a kernel exploit or so.) Thanks.
pgpnuNKtD6SDi.pgp
Description: PGP signature
_______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
