Re: Debian servers hacked?
On Thu, Nov 27, 2003 at 06:03:13AM -0500, Anthony DeRobertis wrote: On Nov 26, 2003, at 15:34, Matt Zimmerman wrote: None of those packages are new; they are all from security.debian.org and correspnod to security advisories released since 3.0r1. Really? There were 13 or so things on 3.0r2 that my machines never picked up from security.debian.org. Don't stable revisions, in general, contain more than fixes for DSA's? Yes, of course they do. But in George Georgalis' original message, he was asking about the messages on debian-changes which listed stable-security; urgency=high changelog entries. All of those came from security.debian.org. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Thu, Nov 27, 2003 at 06:03:13AM -0500, Anthony DeRobertis wrote: On Nov 26, 2003, at 15:34, Matt Zimmerman wrote: None of those packages are new; they are all from security.debian.org and correspnod to security advisories released since 3.0r1. Really? There were 13 or so things on 3.0r2 that my machines never picked up from security.debian.org. Don't stable revisions, in general, contain more than fixes for DSA's? Yes, of course they do. But in George Georgalis' original message, he was asking about the messages on debian-changes which listed stable-security; urgency=high changelog entries. All of those came from security.debian.org. -- - mdz
patch - Re: Debian servers hacked?
On Fri, 21 Nov 2003, Matthijs Mohlmann wrote: ey, Maybe some piece of advice. I run a server with the grsecurity patch on the kernel maybe that's also an option to run on the debian server(s) Maybe this is already on the server, when so, i've nothing said. there are lots ( dozens ) of kernel patches .. pick some for fun .. http://www.Linux-Sec.net/Harden/kernel.gwif.html but it didn't sound like ( to me ) that it was a kernel problem ?? c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Nov 26, 2003, at 15:34, Matt Zimmerman wrote: None of those packages are new; they are all from security.debian.org and correspnod to security advisories released since 3.0r1. Really? There were 13 or so things on 3.0r2 that my machines never picked up from security.debian.org. Don't stable revisions, in general, contain more than fixes for DSA's? /me is too lazy to check all the messages about preparing 3.0r2, if the archives are even up... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
* George Georgalis ([EMAIL PROTECTED]) [031126 20:55]: That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on debian-changes@lists.debian.org Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. That are packages that were security updates (since r1), and are now part of r2. Please see the dates in the changelogs for details. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: Debian servers hacked?
On Nov 26, 2003, at 15:34, Matt Zimmerman wrote: None of those packages are new; they are all from security.debian.org and correspnod to security advisories released since 3.0r1. Really? There were 13 or so things on 3.0r2 that my machines never picked up from security.debian.org. Don't stable revisions, in general, contain more than fixes for DSA's? /me is too lazy to check all the messages about preparing 3.0r2, if the archives are even up...
Re: Debian servers hacked?
ey, Maybe some piece of advice. I run a server with the grsecurity patch on the kernel maybe that's also an option to run on the debian server(s) Maybe this is already on the server, when so, i've nothing said. Regards, Matthijs On Fri, 2003-11-21 at 13:13, Jan Wagner wrote: On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Regards, Jan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. There weren't. Read the changelogs; these were normal bugfixes which entered stable as part of the 3.0r2 point release, whose announcement was delayed due to the cleanup efforts. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Wed, Nov 26, 2003 at 12:47:40PM -0500, Matt Zimmerman wrote: On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. There weren't. Read the changelogs; these were normal bugfixes which entered stable as part of the 3.0r2 point release, whose announcement was delayed due to the cleanup efforts. Thanks, I appreciate the updates, and I sympathize re the post compromise workload. I've posted 3 or 4 messages re the changes and compromise, from these I really only want to raise one point: Is there a list of what has been validated and/or restored at debian? If so I see no reason to withhold it for a final report, and good reason to have it live, throughout the process. It would enable undertaking of realtime debian system threat analysis based on the trust established with debian last week verses after the compromise. In the same email I also said had there been no series of change announcements prior compromise, live progress reports would not as desirable as they are in this case (though everybody wants to know if it was an ssh bug or loose password... when known). That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on [EMAIL PROTECTED] Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. (not sure what the difference would be either) For me, only one of those 160 packages (when I use 'upgrade' on a typical box I administer) is marked 'urgency=high', debianutils. Why the program file is is not part of the list even with 'dist-upgrade'. oic the urgent ones really did come out earlier. I clearly don't understand the methodology of the announcements and the woody r1 to r2 process. Whether technically everything was presented sufficiently for everybody to determine validity and appropriateness is not my point in all this, only that a live progress report of the restore/verification process (ie we have verified or fixed host/service a, b and c) would have set many at ease and I imagine would have been fairly nominal to provide -- a suggestion. A few of the other important i386 changes that came out are below -- less their _actual_ dates and less relevant now that I see they've been available for a while -- as well to links to my other posts. In retrospect, a post-compromise clarification that the urgent packages are probably already installed vs people verifying and wondering when security.debian.org would come back so they could be obtained, would be as valuable as the progress report! Your follow up is much appreciated. -- thanks for all the hard work these days! // George http://lists.svlug.org/pipermail/svlug/2003-November/046244.html http://lists.svlug.org/pipermail/svlug/2003-November/046249.html Changes: ncompress (4.2.4-9.2) stable; urgency=high . * Disallow maxbits less than 10, to avoid data corruption (closes: #220820). Changes: atftp (0.6.0woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow in tftpd_send_file [tftpd_file.c] Changes: autorespond (2.0.2-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow with EXT and HOST environment variables (CAN-2003-0654) Changes: cupsys (1.1.14-5) stable-security; urgency=high . * Security fix: prevent denial of service by not freezing when an HTTP transaction is improperly terminated. * Fix Build-Depends to make sure that PAM support is always available. * CAN-2003-0195 Changes: ddskk (11.6.rel.0-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Apply patch from Takao Kawamura [EMAIL PROTECTED] to create temporary files safely Changes: debianutils (1.16.2woody1) stable; urgency=high . * Backport of Ian Zimmerman's run-parts program output loss patch, which fixes zombie problem. closes: #184710. Changes: ethereal (0.9.4-1woody5) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix vulnerabilities announced in enpa-sa-00010 - throw an error on zero-length bufsize in tvb_get_nstringz0 (CAN-2003-0431) [epan/tvbuff.c] - Fix over-allocation problem in DCERPC dissector (CAN-2003-0428) [packet-dcerpc-lsa.c] - Fix overflow with bad IPv4 or IPv6 prefix lengths (CAN-2003-0429)
Re: Debian servers hacked?
On Tue, Nov 25, 2003 at 06:10:18PM -0500, Johann Koenig wrote: On Saturday November 22 at 02:32am George Georgalis [EMAIL PROTECTED] wrote: So, are these compromised updates or urgent patches? I'm guessing the former.. More likely part of 3.0r2. I've attached the message from debian-announce. thanks for the attachment. I thought I was on debian-announce but I didn't see that. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Wed, Nov 26, 2003 at 02:51:25PM -0500, George Georgalis wrote: I've posted 3 or 4 messages re the changes and compromise, from these I really only want to raise one point: Is there a list of what has been validated and/or restored at debian? If so I see no reason to withhold it for a final report, and good reason to have it live, throughout the process. It would enable undertaking of realtime debian system threat analysis based on the trust established with debian last week verses after the compromise. I have no reason to believe that information is being witheld. That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on [EMAIL PROTECTED] Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. (not sure what the difference would be either) 3.0r2, like other point releases, includes all of the security fixes released for 3.0r1. None of those packages are new; they are all from security.debian.org and correspnod to security advisories released since 3.0r1. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
ey, Maybe some piece of advice. I run a server with the grsecurity patch on the kernel maybe that's also an option to run on the debian server(s) Maybe this is already on the server, when so, i've nothing said. Regards, Matthijs On Fri, 2003-11-21 at 13:13, Jan Wagner wrote: On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Regards, Jan.
Re: Debian servers hacked?
On Wed, Nov 26, 2003 at 12:47:40PM -0500, Matt Zimmerman wrote: On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. There weren't. Read the changelogs; these were normal bugfixes which entered stable as part of the 3.0r2 point release, whose announcement was delayed due to the cleanup efforts. Thanks, I appreciate the updates, and I sympathize re the post compromise workload. I've posted 3 or 4 messages re the changes and compromise, from these I really only want to raise one point: Is there a list of what has been validated and/or restored at debian? If so I see no reason to withhold it for a final report, and good reason to have it live, throughout the process. It would enable undertaking of realtime debian system threat analysis based on the trust established with debian last week verses after the compromise. In the same email I also said had there been no series of change announcements prior compromise, live progress reports would not as desirable as they are in this case (though everybody wants to know if it was an ssh bug or loose password... when known). That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on debian-changes@lists.debian.org Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. (not sure what the difference would be either) For me, only one of those 160 packages (when I use 'upgrade' on a typical box I administer) is marked 'urgency=high', debianutils. Why the program file is is not part of the list even with 'dist-upgrade'. oic the urgent ones really did come out earlier. I clearly don't understand the methodology of the announcements and the woody r1 to r2 process. Whether technically everything was presented sufficiently for everybody to determine validity and appropriateness is not my point in all this, only that a live progress report of the restore/verification process (ie we have verified or fixed host/service a, b and c) would have set many at ease and I imagine would have been fairly nominal to provide -- a suggestion. A few of the other important i386 changes that came out are below -- less their _actual_ dates and less relevant now that I see they've been available for a while -- as well to links to my other posts. In retrospect, a post-compromise clarification that the urgent packages are probably already installed vs people verifying and wondering when security.debian.org would come back so they could be obtained, would be as valuable as the progress report! Your follow up is much appreciated. -- thanks for all the hard work these days! // George http://lists.svlug.org/pipermail/svlug/2003-November/046244.html http://lists.svlug.org/pipermail/svlug/2003-November/046249.html Changes: ncompress (4.2.4-9.2) stable; urgency=high . * Disallow maxbits less than 10, to avoid data corruption (closes: #220820). Changes: atftp (0.6.0woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow in tftpd_send_file [tftpd_file.c] Changes: autorespond (2.0.2-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow with EXT and HOST environment variables (CAN-2003-0654) Changes: cupsys (1.1.14-5) stable-security; urgency=high . * Security fix: prevent denial of service by not freezing when an HTTP transaction is improperly terminated. * Fix Build-Depends to make sure that PAM support is always available. * CAN-2003-0195 Changes: ddskk (11.6.rel.0-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Apply patch from Takao Kawamura [EMAIL PROTECTED] to create temporary files safely Changes: debianutils (1.16.2woody1) stable; urgency=high . * Backport of Ian Zimmerman's run-parts program output loss patch, which fixes zombie problem. closes: #184710. Changes: ethereal (0.9.4-1woody5) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix vulnerabilities announced in enpa-sa-00010 - throw an error on zero-length bufsize in tvb_get_nstringz0 (CAN-2003-0431) [epan/tvbuff.c] - Fix over-allocation problem in DCERPC dissector (CAN-2003-0428) [packet-dcerpc-lsa.c] - Fix overflow with bad IPv4 or IPv6 prefix lengths (CAN-2003-0429)
Re: Debian servers hacked?
On Wed, Nov 26, 2003 at 02:51:25PM -0500, George Georgalis wrote: I've posted 3 or 4 messages re the changes and compromise, from these I really only want to raise one point: Is there a list of what has been validated and/or restored at debian? If so I see no reason to withhold it for a final report, and good reason to have it live, throughout the process. It would enable undertaking of realtime debian system threat analysis based on the trust established with debian last week verses after the compromise. I have no reason to believe that information is being witheld. That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on debian-changes@lists.debian.org Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. (not sure what the difference would be either) 3.0r2, like other point releases, includes all of the security fixes released for 3.0r1. None of those packages are new; they are all from security.debian.org and correspnod to security advisories released since 3.0r1. -- - mdz
Re: Debian servers hacked?
On Tue, Nov 25, 2003 at 06:10:18PM -0500, Johann Koenig wrote: On Saturday November 22 at 02:32am George Georgalis [EMAIL PROTECTED] wrote: So, are these compromised updates or urgent patches? I'm guessing the former.. More likely part of 3.0r2. I've attached the message from debian-announce. thanks for the attachment. I thought I was on debian-announce but I didn't see that. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Debian servers hacked?
On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. There weren't. Read the changelogs; these were normal bugfixes which entered stable as part of the 3.0r2 point release, whose announcement was delayed due to the cleanup efforts. -- - mdz
Re: Debian servers hacked?
Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? You know they will write a full post-mortem when they have all the information. To suggest possible problems without knowing the scope and without reading their write up is premature. Better to ask questions once they feel like they know the answers. :) To speculate is to do a disservice. Trust the debian security team; they do their job well and you should know that security is never guranteed. -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Tue, 25 Nov 2003, Dariush Pietrzak wrote: Well since delayed woody release was released it surely means that 'they' know the answers. So I think this is a perfect time for post-mortem. It just means that they were able to check the released packages against trusted sources, not that they finished post-mortem and restore for all servers. Don't push them, you can trust that they will release all the information, once they are finished with it. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote: Thank you for not starting wild unfounded rumors. If you don't have the facts it is unproductive to speculate wildly, especially in a pejorative fashion. No starting rumours or specualting, just asking how the servers got got rooted. If i offended anyone i apologise. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
-BEGIN PGP SIGNED MESSAGE- Thomas Sj?gren [EMAIL PROTECTED] [2003-11-21 16:43]: On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote: On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjgren wrote: Anyone to shed some light over this? There has been an announcement on the Debian-announce-list a few minutes ago which clarifies the situation. I have asked Martin to publish the the announcement in this list also. Yes, I know. The last 5 replies i've got was with the url to that announcement. I would be more than interested in seeing a digitally signed email by one of the @debian persons that proves evidence. wbr, Lukas - -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html| -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBP74zT2g5P0zSC6LtAQFV3wP/WB7E1PYy2zQqpVLiqZckwS386IrkoeAu TpxzehXIr+wWKlamalNDrZujTn6WSX0kWtcbcKnLhkc//ttg0q3Cd3oBH8bEv5Sf csGOA+3qsqN5qIkApk7p6pVBQIjcATuJMsUlFSfgICrq+f//lxJVJqU8qrV92AMx WD2bO6XKB2o= =XULl -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Friday 21 November 2003 15:14, Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote: On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this There has been an announcement on the Debian-announce-list a few minutes ago which clarifies the situation. I have asked Martin to publish the the announcement in this list also. Yes, I know. The last 5 replies i've got was with the url to that announcement. What i'm interested in was how it could happen. If you're patient for a little while, I'm sure that'll be announced. The most imporant thing right now is that everything is secured and fixed IMHO. Regards, Ricardo. -- Ricardo Kustner ICS Linux Professionals Stadhouderslaan 57 3583 JD UTRECHT T: 030-6355730 F: 030-6355731 PGP-key: http://www.ic-s.nl/keys/ricardo.txt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: On Friday 21 November 2003 13:18, Thomas Sj?gren wrote: On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. I thought it was odd there where ~50 urgent security updates all in one evening. One of my computers managed to pull several deb updates before security.debian.org was taken off line: # ls -1 /var/cache/apt/archives/ bsdutils_1%3a2.11n-7_i386.deb console-data_1999.08.29-24.2_all.deb debianutils_1.16.2woody1_i386.deb lock mount_2.11n-7_i386.deb nano_1.0.6-3_i386.deb partial procmail_3.22-5_i386.deb procps_1%3a2.0.7-8.woody1_i386.deb util-linux_2.11n-7_i386.deb zlib1g_1%3a1.1.4-1.0woody0_i386.deb So, are these compromised updates or urgent patches? I'm guessing the former... // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Saturday November 22 at 02:32am George Georgalis [EMAIL PROTECTED] wrote: So, are these compromised updates or urgent patches? I'm guessing the former.. More likely part of 3.0r2. I've attached the message from debian-announce. -- -johann koenig Now Playing: Red Hot Chili Peppers - The Greeting Song : Blood Sugar Sex Magik Today is Prickle-Prickle, the 37th day of The Aftermath in the YOLD 3169 My public pgp key: http://mental-graffiti.com/pgp/johannkoenig.pgp Debian_GNU_Linux_3.0_updated_(r2) Description: Binary data pgp0.pgp Description: PGP signature
Re: Debian servers hacked?
On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. Those weren't security updates, they were 3.0r2 (aka stable). Check the debian-devel-announce archives. (When they come back on line.) Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? You know they will write a full post-mortem when they have all the information. To suggest possible problems without knowing the scope and without reading their write up is premature. Better to ask questions once they feel like they know the answers. :) To speculate is to do a disservice. Trust the debian security team; they do their job well and you should know that security is never guranteed. -davidu David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net
Re: Debian servers hacked?
information. To suggest possible problems without knowing the scope and without reading their write up is premature. Better to ask questions once they feel like they know the answers. :) Well since delayed woody release was released it surely means that 'they' know the answers. So I think this is a perfect time for post-mortem. To speculate is to do a disservice. Trust the debian security team; they do their job well and you should know that security is never guranteed. Well, latest events seem to suggest that debian still lacks paranoia. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote: Thank you for not starting wild unfounded rumors. If you don't have the facts it is unproductive to speculate wildly, especially in a pejorative fashion. No starting rumours or specualting, just asking how the servers got got rooted. If i offended anyone i apologise. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: On Friday 21 November 2003 13:18, Thomas Sj?gren wrote: On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. I thought it was odd there where ~50 urgent security updates all in one evening. One of my computers managed to pull several deb updates before security.debian.org was taken off line: # ls -1 /var/cache/apt/archives/ bsdutils_1%3a2.11n-7_i386.deb console-data_1999.08.29-24.2_all.deb debianutils_1.16.2woody1_i386.deb lock mount_2.11n-7_i386.deb nano_1.0.6-3_i386.deb partial procmail_3.22-5_i386.deb procps_1%3a2.0.7-8.woody1_i386.deb util-linux_2.11n-7_i386.deb zlib1g_1%3a1.1.4-1.0woody0_i386.deb So, are these compromised updates or urgent patches? I'm guessing the former... // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Debian servers hacked?
On Saturday November 22 at 02:32am George Georgalis [EMAIL PROTECTED] wrote: So, are these compromised updates or urgent patches? I'm guessing the former.. More likely part of 3.0r2. I've attached the message from debian-announce. -- -johann koenig Now Playing: Red Hot Chili Peppers - The Greeting Song : Blood Sugar Sex Magik Today is Prickle-Prickle, the 37th day of The Aftermath in the YOLD 3169 My public pgp key: http://mental-graffiti.com/pgp/johannkoenig.pgp Debian_GNU_Linux_3.0_updated_(r2) Description: Binary data pgpafxXrtzlLm.pgp Description: PGP signature
Re: Debian servers hacked?
On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. Those weren't security updates, they were 3.0r2 (aka stable). Check the debian-devel-announce archives. (When they come back on line.) Mike Stone
Debian servers hacked?
Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Regards, Jan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
On Friday 21 November 2003 13:18, Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Regards, Jan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
* Thomas Sjögren wrote: [...] Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt -- - nobse -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
On Fri, 21 Nov 2003 at 12:38:50 +0100, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! This is exaggerated. I'm forwarding the official announcement from debian-announce mailing list: = Date: Fri, 21 Nov 2003 11:46:19 +0100 From: Martin Schulze [EMAIL PROTECTED] To: Debian Announcements [EMAIL PROTECTED] Subject: Some Debian Project machines have been compromised Message-ID: [EMAIL PROTECTED] The Debian Projecthttp://www.debian.org/ Some Debian Project machines compromised[EMAIL PROTECTED] November 21st, 2003 Some Debian Project machines have been compromised This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: . master (Bug Tracking System) . murphy (mailing lists) . gluck (web, cvs) . klecker (security, non-us, web search, www-master) Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again. Please note that we have recently prepared a new point release for Debian GNU/Linux 3.0 (woody), release 3.0r2. While it has not been announced yet, it has been pushed to our mirrors already. The announcement was scheduled for this morning but had to be postponed. This update has now been checked and it is not affected by the compromise. We apologise for the disruptions of some services over the next few days. We are working on restoring the services and verifying the content of our archives. Contact Information --- For further information, please visit the Debian web pages at http://www.debian.org/ or contact [EMAIL PROTECTED]. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] = -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Friday 21 November 2003 13:32, Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? Dunno. Regards, Jan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this? There has been an announcement on the Debian-announce-list a few minutes ago which clarifies the situation. I have asked Martin to publish the the announcement in this list also. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch A new commandment I give unto you; That ye love one another. As I have loved you, so ye also must love one another. By this shall all men know that ye are my disciples, if ye have love one to another. John 13:34,35 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Debian servers hacked?
Det går ubekreftede rykter om at Debian serverene skal ha blitt hacket: Vi vet ingenting om omfanget av dette. Mvh. Nils Thomas Sjögren writes: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
* On Fri, Nov 21, 2003 at 12:38:50 +0100, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt Regards, Jens -- It is better to be bow-legged than no-legged. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
* Thomas Sj?gren ([EMAIL PROTECTED]) wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! The other security folk are probably busy but, basically, the real announcement is here: http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt And the person you're quoting from is a misinformed idiot. Stephen signature.asc Description: Digital signature
Re: Debian servers hacked?
* Thomas Sjögren ([EMAIL PROTECTED]) wrote: Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt hth, Michele -- Poetry, the best of it, is lunar and is concerned with the essential insanities. Journalism is solar (there are numerous newspapers named The Sun, none called The Moon) and is devoted to the inessential. signature.asc Description: Digital signature
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this? Seems like there has been a message to debian-announce: http://cert.uni-stuttgart.de/ticker/article.php?mid=1167 I'm just wondering why I didn't received it ? -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:32:22PM +0100, Thomas Sjögren wrote: Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? Thank you for not starting wild unfounded rumors. If you don't have the facts it is unproductive to speculate wildly, especially in a pejorative fashion. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
Sorry, wrong copy/paste http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt is the right [Note: The original announcement didn't have a GnuPG signature.] On (21/11/03 14:15), Jan Wagner wrote: On Friday 21 November 2003 13:58, Bueno wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - The Debian Projecthttp://www.debian.org/ Some Debian Project machines compromised[EMAIL PROTECTED] November 21st, 2003 - Some Debian Project machines have been compromised This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: . master (Bug Tracking System) . murphy (mailing lists) . gluck (web, cvs) . klecker (security, non-us, web search, www-master) Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again. Please note that we have recently prepared a new point release for Debian GNU/Linux 3.0 (woody), release 3.0r2. While it has not been announced yet, it has been pushed to our mirrors already. The announcement was scheduled for this morning but had to be postponed. This update has now been checked and it is not affected by the compromise. We apologise for the disruptions of some services over the next few days. We are working on restoring the services and verifying the content of our archives. Contact Information - --- For further information, please visit the Debian web pages at http://www.debian.org/ or send mail to [EMAIL PROTECTED]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/vfsJW5ql+IAeqTIRApjYAJ4v6QK07nyNNyBCvsosorej3cwMHACfZcLt PwFJYJu8w1rU64Z82ddF6LY= =If2b -END PGP SIGNATURE- On (21/11/03 13:13), Jan Wagner wrote: On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Seems you didn´t read this. Regard, Jan. -- Bueno, Felippe [EMAIL PROTECTED] http://www.hal.vu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Debian servers hacked?
Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Regards, Jan.
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
On Friday 21 November 2003 13:18, Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Regards, Jan.
Re: Debian servers hacked?
* Thomas Sjögren wrote: [...] Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt -- - nobse
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
On Fri, 21 Nov 2003 at 12:38:50 +0100, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! This is exaggerated. I'm forwarding the official announcement from debian-announce mailing list: = Date: Fri, 21 Nov 2003 11:46:19 +0100 From: Martin Schulze [EMAIL PROTECTED] To: Debian Announcements debian-announce@lists.debian.org Subject: Some Debian Project machines have been compromised Message-ID: [EMAIL PROTECTED] The Debian Projecthttp://www.debian.org/ Some Debian Project machines compromised[EMAIL PROTECTED] November 21st, 2003 Some Debian Project machines have been compromised This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: . master (Bug Tracking System) . murphy (mailing lists) . gluck (web, cvs) . klecker (security, non-us, web search, www-master) Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again. Please note that we have recently prepared a new point release for Debian GNU/Linux 3.0 (woody), release 3.0r2. While it has not been announced yet, it has been pushed to our mirrors already. The announcement was scheduled for this morning but had to be postponed. This update has now been checked and it is not affected by the compromise. We apologise for the disruptions of some services over the next few days. We are working on restoring the services and verifying the content of our archives. Contact Information --- For further information, please visit the Debian web pages at http://www.debian.org/ or contact [EMAIL PROTECTED]. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] = -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner
Re: Debian servers hacked?
On Friday 21 November 2003 13:32, Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. Ok, so there's no manual auditing on services, processes, etc (on a daily basis) while the servers are running? Dunno. Regards, Jan.
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this? There has been an announcement on the Debian-announce-list a few minutes ago which clarifies the situation. I have asked Martin to publish the the announcement in this list also. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch A new commandment I give unto you; That ye love one another. As I have loved you, so ye also must love one another. By this shall all men know that ye are my disciples, if ye have love one to another. John 13:34,35
Debian servers hacked?
Det går ubekreftede rykter om at Debian serverene skal ha blitt hacket: Vi vet ingenting om omfanget av dette. Mvh. Nils Thomas Sjögren writes: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C --
Re: Debian servers hacked?
* On Fri, Nov 21, 2003 at 12:38:50 +0100, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt Regards, Jens -- It is better to be bow-legged than no-legged.
Re: Debian servers hacked?
* Thomas Sj?gren ([EMAIL PROTECTED]) wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! The other security folk are probably busy but, basically, the real announcement is here: http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt And the person you're quoting from is a misinformed idiot. Stephen signature.asc Description: Digital signature
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this? Seems like there has been a message to debian-announce: http://cert.uni-stuttgart.de/ticker/article.php?mid=1167 I'm just wondering why I didn't received it ? -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg
Re: Debian servers hacked?
On Friday 21 November 2003 13:58, Bueno wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - The Debian Projecthttp://www.debian.org/ Some Debian Project machines compromised[EMAIL PROTECTED] November 21st, 2003 - Some Debian Project machines have been compromised This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: . master (Bug Tracking System) . murphy (mailing lists) . gluck (web, cvs) . klecker (security, non-us, web search, www-master) Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again. Please note that we have recently prepared a new point release for Debian GNU/Linux 3.0 (woody), release 3.0r2. While it has not been announced yet, it has been pushed to our mirrors already. The announcement was scheduled for this morning but had to be postponed. This update has now been checked and it is not affected by the compromise. We apologise for the disruptions of some services over the next few days. We are working on restoring the services and verifying the content of our archives. Contact Information - --- For further information, please visit the Debian web pages at http://www.debian.org/ or send mail to [EMAIL PROTECTED]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/vfsJW5ql+IAeqTIRApjYAJ4v6QK07nyNNyBCvsosorej3cwMHACfZcLt PwFJYJu8w1rU64Z82ddF6LY= =If2b -END PGP SIGNATURE- On (21/11/03 13:13), Jan Wagner wrote: On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Seems you didn´t read this. Regard, Jan.
Re: Debian servers hacked?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - The Debian Projecthttp://www.debian.org/ Some Debian Project machines compromised[EMAIL PROTECTED] November 21st, 2003 - Some Debian Project machines have been compromised This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: . master (Bug Tracking System) . murphy (mailing lists) . gluck (web, cvs) . klecker (security, non-us, web search, www-master) Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again. Please note that we have recently prepared a new point release for Debian GNU/Linux 3.0 (woody), release 3.0r2. While it has not been announced yet, it has been pushed to our mirrors already. The announcement was scheduled for this morning but had to be postponed. This update has now been checked and it is not affected by the compromise. We apologise for the disruptions of some services over the next few days. We are working on restoring the services and verifying the content of our archives. Contact Information - --- For further information, please visit the Debian web pages at http://www.debian.org/ or send mail to [EMAIL PROTECTED]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/vfsJW5ql+IAeqTIRApjYAJ4v6QK07nyNNyBCvsosorej3cwMHACfZcLt PwFJYJu8w1rU64Z82ddF6LY= =If2b -END PGP SIGNATURE- On (21/11/03 13:13), Jan Wagner wrote: On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Regards, Jan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Bueno, Felippe [EMAIL PROTECTED] http://www.hal.vu
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote: On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this? There has been an announcement on the Debian-announce-list a few minutes ago which clarifies the situation. I have asked Martin to publish the the announcement in this list also. Yes, I know. The last 5 replies i've got was with the url to that announcement. What i'm interested in was how it could happen. /Thomas -- == [EMAIL PROTECTED] | [EMAIL PROTECTED] == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- signature.asc Description: Digital signature
Re: Debian servers hacked?
Sorry, wrong copy/paste http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt is the right [Note: The original announcement didn't have a GnuPG signature.] On (21/11/03 14:15), Jan Wagner wrote: On Friday 21 November 2003 13:58, Bueno wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - The Debian Projecthttp://www.debian.org/ Some Debian Project machines compromised[EMAIL PROTECTED] November 21st, 2003 - Some Debian Project machines have been compromised This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: . master (Bug Tracking System) . murphy (mailing lists) . gluck (web, cvs) . klecker (security, non-us, web search, www-master) Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again. Please note that we have recently prepared a new point release for Debian GNU/Linux 3.0 (woody), release 3.0r2. While it has not been announced yet, it has been pushed to our mirrors already. The announcement was scheduled for this morning but had to be postponed. This update has now been checked and it is not affected by the compromise. We apologise for the disruptions of some services over the next few days. We are working on restoring the services and verifying the content of our archives. Contact Information - --- For further information, please visit the Debian web pages at http://www.debian.org/ or send mail to [EMAIL PROTECTED]. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/vfsJW5ql+IAeqTIRApjYAJ4v6QK07nyNNyBCvsosorej3cwMHACfZcLt PwFJYJu8w1rU64Z82ddF6LY= =If2b -END PGP SIGNATURE- On (21/11/03 13:13), Jan Wagner wrote: On Friday 21 November 2003 12:38, Thomas Sjögren wrote: Anyone to shed some light over this? Someone has cracked all the servers of the Debian Project. There has been a severe security mishap and guys should uninstall all stuff downloaded and installed in the past 2 days. Please do not apt-get anything right now! Please wait till an `official' release happens! http://article.gmane.org/gmane.linux.debian.user/117910 Server security mishap - you think?! http://luonnotar.infodrom.org/~joey/debian-announce.txt Seems you didn´t read this. Regard, Jan. -- Bueno, Felippe [EMAIL PROTECTED] http://www.hal.vu
Re: Debian servers hacked?
-BEGIN PGP SIGNED MESSAGE- Thomas Sj?gren [EMAIL PROTECTED] [2003-11-21 16:43]: On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote: On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this? There has been an announcement on the Debian-announce-list a few minutes ago which clarifies the situation. I have asked Martin to publish the the announcement in this list also. Yes, I know. The last 5 replies i've got was with the url to that announcement. I would be more than interested in seeing a digitally signed email by one of the @debian persons that proves evidence. wbr, Lukas - -- Lukas Ruf | Wanna know anything about raw | http://www.lpr.ch | IP? - http://www.rawip.org | eMail Style Guide: http://www.rawip.org/style.html| -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBP74zT2g5P0zSC6LtAQFV3wP/WB7E1PYy2zQqpVLiqZckwS386IrkoeAu TpxzehXIr+wWKlamalNDrZujTn6WSX0kWtcbcKnLhkc//ttg0q3Cd3oBH8bEv5Sf csGOA+3qsqN5qIkApk7p6pVBQIjcATuJMsUlFSfgICrq+f//lxJVJqU8qrV92AMx WD2bO6XKB2o= =XULl -END PGP SIGNATURE-
Re: Debian servers hacked?
On Friday 21 November 2003 15:14, Thomas Sjögren wrote: On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote: On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote: Anyone to shed some light over this There has been an announcement on the Debian-announce-list a few minutes ago which clarifies the situation. I have asked Martin to publish the the announcement in this list also. Yes, I know. The last 5 replies i've got was with the url to that announcement. What i'm interested in was how it could happen. If you're patient for a little while, I'm sure that'll be announced. The most imporant thing right now is that everything is secured and fixed IMHO. Regards, Ricardo. -- Ricardo Kustner ICS Linux Professionals Stadhouderslaan 57 3583 JD UTRECHT T: 030-6355730 F: 030-6355731 PGP-key: http://www.ic-s.nl/keys/ricardo.txt
