Not good news but at least there's no problem for us regular people that have our private keys at home. What I do wonder though is who might have wanted to hack a Frugalware server and why. It does have a pretty good internet connection I suppose and some CPU power but still .... And with the recent kernel.org attacks taking place at about the same time, it kind of makes you wonder. I think that we do download the kernel straight from kernel.org, right ? It's just speculation but maybe this is how they knew about FW machines.
On Tue, Sep 13, 2011 at 4:56 PM, Miklos Vajna <[email protected]> wrote: > Hi, > > On August 25, genesis was root compromised. I discovered this issue a > few days after the incident. I wanted to keep back details till I was > sure I know what happened, thanks to Romain Wartel (CERN Security Team) > and Leif Nixon (Security officer, Swedish National Infrastructure for > Computing) for helping in finding out the details. > > What happened? The password of Krisztian (user name: iron) was stolen > (the details are not clear yet) and the attacker used his password to > ssh to the machine from a Dutch (already compromised) host, then it used > sudo (it could, as he and me have sudo on that machine) to get root > access, and installed a rootkit (the one used in the now-well-known > kernel.org attack as well), which could be noticed in dmesg and the > changed sha1sum of the sshd binary. > > It's obvious that the password of Krisztian was stolen, but as a > consequence of the above it's possible that the attacker obtained the > password and/or the private ssh keys of other users as well. > > I already reinstalled the machine, so please, in case you had a full > shell (not a restriced one, what most new developers get), change your > private ssh key, if you stored one there. If you had a restriced shell, > then you could not store any private ssh keys, so there is nothing to do > for you. > > To prevent the above happening again, I now disabled password-based > authentication via ssh, I don't think it was used too frequently anyway. > (If you used it and now you can't login, then mail me a new public ssh > key.) > > Sorry for the bad news and for the delay, but I did not want to publish > details before I was aware how the attacker got in and how did it get > root access. (So now we know it wasn't a kernel exploit or so.) > > Thanks. > > _______________________________________________ > Frugalware-devel mailing list > [email protected] > http://frugalware.org/mailman/listinfo/frugalware-devel > > _______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
