hello users of codespeak, we today discovered that the account 'nico' on codespeak.net has been compromised probably due to a bad password.
Before i go into some details please *change your password* immediately. Besides users of codespeak.net this also affects all non-anonymous users of cvs.infrae.com (still an alias for codespeak.net). Every non-changed password will be reset to some random password automatically after 2 days (on 6th of february). We currently think that the attacker was not able to gain more than user access and was not able to modify other than the user's files. If we find evidence of a more severe breakin than just abuse of one user account we may switch off the server without further notice. As the attacker effectively got to some encrypted information in /etc/shadow (see later how) he may now be able to crack any naive password in the next days. So please change your password - or even better - also install SSH-RSA Keys so you don't need to have a nice'n easy password. Here are some more details about our current findings. - the attacker installed new ssh-RSA keys and changed the password of the compromised account - he went through a lot of configuration files in /etc and tried to change them (unsuccessfully as far as we see it). - he then went on to install and run some password cracker and IRC-net utilities (at least 'psybnc-2.3.1-8' and 'john-1.6') and ran them. - the attacker obviously didn't like 'vi' because he tried to find other editors like 'pico' which were unfortunately not installed :-) - he actually run the password cracker app for around 217 minutes accumulated time (when we killed it off). - he was able to create a password file which resembled encrypted information from /etc/shadow which is normally not accessible by users. Now the question is how he did the attacker get to this information which he didn't have direct access rights to? The probable answer (juding from the web server's logfiles) is that he was able to gain acess to a subversion-checkin of /etc/shadow at http://codespeak.net/svn/sysconf/thoth.codespeak.net/etc/shadow While everything under /svn/sysconf/ is not accessible anonymously *viewcvs* bypasses access control as it doesn't use the apache-layer but directly works with the repository on the file system layer. Apparently he found that by googling for it. Thus he was able to get to the encrypted information on which he then started 'john', the password cracker. Our countermeasures so far included: - disabling of login/ssh/public_html access for nico - killing two user-processes (one for IRC proxy-bots and one for password cracking) - generically preventing any URL with something like 'sysconf/thoth.codespeak.net' in it in order to not leak sensible system information - continued analysis of traces, logfiles and system binaries which could be used to hide traces. (actually the modern way of hiding traces is to install a kernel module which hides itself from 'lsmod' and additionally hides processes and directories following specific patterns. But it doesn't seem like the attacker was able to do this especially because he didn't know how to handle vi :-) However, as we must assume that the /etc/shadow encrypted information is now out there we it's an important safety measure probably a good idea that everybody changes his/her password unless you are sure that you have a very good password (like the ones we usually generate for new users). If you don't know your password anymore or if you want a good random one just sent me an mail. Please don't look around the codespeak system (e.g. into /etc) in the next days when you login but just change your password. Otherwise we may assume that another account is about to be cracked ... or if you really want to look around (you are welcome) then mail us before you start. sorry for the inconvenience, holger _______________________________________________ [EMAIL PROTECTED] http://codespeak.net/mailman/listinfo/pypy-dev
