FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise - Mailing list pgsql-advocacy

Hi guys,

Not sure if people have or haven't seen this already.

The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently.

:-(

Regards and best wishes,

Justin Clift


> -----Original Message-----
> From:    auscert@auscert.org.au
> Sent:    Thursday, 14 August 2003 1:59 pm
> To:    auscert-subscriber@auscert.org.au
> Subject:    (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> ===========================================================================
>              AUSCERT External Security Bulletin Redistribution
>
>                  ESB-2003.0563 -- CERT Advisory CA-2003-21
>                      GNU Project FTP Server Compromise
>                               14 August 2003
>
> ===========================================================================
>
>         AusCERT Security Bulletin Summary
>         ---------------------------------
>
> Product:                GNU Software
> Publisher:              CERT/CC
> Impact:                 Root Compromise
>                         Execute Arbitrary Code/Commands
> Access Required:        Remote
>
> - --------------------------BEGIN INCLUDED TEXT--------------------
>
> - -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
>
>    Original issue date: August 13, 2003
>    Last revised: --
>    Source: CERT/CC
>
>    A complete revision history is at the end of this file.
>
> Overview
>
>    The  CERT/CC has received a report that the system housing the primary
>    FTP servers for the GNU software project was compromised.
>
> I. Description
>
>    The GNU Project, principally sponsored by the Free Software Foundation
>    (FSF),  produces  a  variety of freely available software. The CERT/CC
>    has  learned  that  the system housing the primary FTP servers for the
>    GNU  software  project,  gnuftp.gnu.org,  was  root  compromised by an
>    intruder.  The more common host names of ftp.gnu.org and alpha.gnu.org
>    are  aliases  for  the  same  compromised  system.  The  compromise is
>    reported to have occurred in March of 2003.
>
>    The FSF has released an announcement describing the incident.
>
>    Because  this  system  serves  as  a  centralized  archive  of popular
>    software,  the  insertion  of  malicious  code  into  the  distributed
>    software  is  a  serious  threat. As the above announcement indicates,
>    however,  no  source  code  distributions  are  believed  to have been>
>    maliciously modified at this time.
>
> II. Impact
>
>    The  potential  exists  for  an  intruder to have inserted back doors,
>    Trojan   horses,   or  other  malicious  code  into  the  source  code
>    distributions of software housed on the compromised system.
>
> III. Solution
>
>    We   encourage   sites  using  the  GNU  software  obtained  from  the
>    compromised system to verify the integrity of their distribution.
>
>    Sites  that  mirror  the  source  code  are  encouraged  to verify the
>    integrity of their sources. We also encourage users to inspect any and
>    all  other software that may have been downloaded from the compromised
>    site.  Note that it is not always sufficient to rely on the timestamps
>    or  file  sizes  when trying to determine whether or not a copy of the
>    file has been modified.
>
> Verifying checksums
>
>    The  FSF has produced PGP-signed lists of known-good MD5 hashes of the
>    software packages housed on the compromised server. These lists can be
>    found at
>
>           ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
>           ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
>
>    Note that both of these files and the announcement above are signed by
>    Bradley  Kuhn,  Executive  Director of the FSF, with the following PGP
>    key:
>
> pub  1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org>
>      Key fingerprint = 4F40 645E 46BE 0131 48F9  92F6 E775 E324 DB41 B387
> uid                            Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org>
> uid                            Bradley M. Kuhn <bkuhn@gnu.org>
> sub  2048g/75CA9CB3 1999-12-09
>
>    The CERT/CC believes this key to be valid.
>
>    As a matter of good security practice, the CERT/CC encourages users to
>    verify,  whenever  possible, the integrity of downloaded software. For
>    more information, see IN-2001-06.
>
> Appendix A. - Vendor Information
>
>    This  appendix  contains  information  provided  by  vendors  for this
>    advisory.  As  vendors  report new information to the CERT/CC, we will
>    update this section and note the changes in our revision history. If a
>    particular  vendor  is  not  listed  below, we have not received their
>    comments.
>
> Free Software Foundation
>
>
>    The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have
>    all been verified, and their md5sums and the reasons we believe the
>    md5sums can be trusted are in:
>
>        ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
>        ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
>
>    We are updating that file and the site as we confirm good md5sums of
>    additional files.  It is theoretically possible that downloads between
>    March 2003 and July 2003 might have been source-compromised, so we
>    encourage everyone to re-download sources and compare with the current
>    copies for files on the site.
>
> Appendix B. References
>
>      * FSF      announcement      regarding      the      incident      -
>        ftp://ftp.gnu.org/MISSING-FILES.README
>      * CERT Incident Note IN-2001-06 -
>        http://www.cert.org/incident_notes/IN-2001-06.html
>      _________________________________________________________________
>
>    The  CERT/CC  thanks Bradley Kuhn and Brett Smith of the Free Software
>    Foundation for their timely assistance in this matter.
>      _________________________________________________________________
>
>    Feedback can be directed to the author: Chad Dougherty.
>    ______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-2003-21.html
>    ______________________________________________________________________
>
> CERT/CC Contact Information
>
>    Email: cert@cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989>
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
>
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
>
> Getting security information
>
>    CERT  publications  and  other security information are available from
>    our web site
>    http://www.cert.org/
>
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo@cert.org. Please include in the body of your
>    message
>
>    subscribe cert-advisory
>
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
>
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>    ______________________________________________________________________
>
>    Conditions for use, disclaimers, and sponsorship information
>
>    Copyright 2002 Carnegie Mellon University.
>
>    Revision History
> August 13, 2003: Initial release
>
> - -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
> QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
> S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
> OeyQrFbsq54=
> =/72G
> - -----END PGP SIGNATURE-----
>
> - --------------------------END INCLUDED TEXT--------------------
>
> You have received this e-mail bulletin as a result of your organisation's
> registration with AusCERT. The mailing list you are subscribed to is
> maintained within your organisation, so if you do not wish to continue
> receiving these bulletins you should contact your local IT manager. If
> you do not know who that is, please send an email to auscert@auscert.org.au
> and we will forward your request to the appropriate person.
>
> This security bulletin is provided as a service to AusCERT's members.  As
> AusCERT did not write the document quoted above, AusCERT has had no control
> over its content. The decision to follow or act on information or advice
> contained in this security bulletin is the responsibility of each user or
> organisation, and should be considered in accordance with your organisation's
> site policies and procedures. AusCERT takes no responsibility for consequences
> which may arise from following or acting on information or advice contained in
> this security bulletin.
>
> NOTE: This is only the original release of the security bulletin.  It may
> not be updated when updates to the original are made.  If downloading at
> a later date, it is recommended that the bulletin is retrieved directly
> from the author's website to ensure that the information is still current.
>
> Contact information for the authors of the original document is included
> in the Security Bulletin above.  If you have any questions or need further>
> information, please contact them directly.
>
> Previous advisories and external security bulletins can be retrieved from:
>
>         http://www.auscert.org.au/render.html?cid=1980
>
> If you believe that your computer system has been compromised or attacked in
> any way, we encourage you to let us know by completing the secure National IT
> Incident Reporting Form at:
>
>         http://www.auscert.org.au/render.html?it=3192
>
> Internet Email: auscert@auscert.org.au
> Facsimile:      (07) 3365 7031
> Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
>                 AusCERT personnel answer during Queensland business
>                 hours which are GMT+10:00 (AEST).  On call after hours
>                 for member emergencies only.
> -----BEGIN PGP SIGNATURE-----
> Comment: http://www.auscert.org.au/render.html?it=1967
>
> iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8
> P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx
> q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw
> 1iSJeKfo/Mg=
> =pn8Y
> -----END PGP SIGNATURE-----