Thread: FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise
FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise
From
Justin Clift
Date:
Hi guys, Not sure if people have or haven't seen this already. The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently. :-( Regards and best wishes, Justin Clift > -----Original Message----- > From: auscert@auscert.org.au > Sent: Thursday, 14 August 2003 1:59 pm > To: auscert-subscriber@auscert.org.au > Subject: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise > > -----BEGIN PGP SIGNED MESSAGE----- > > =========================================================================== > AUSCERT External Security Bulletin Redistribution > > ESB-2003.0563 -- CERT Advisory CA-2003-21 > GNU Project FTP Server Compromise > 14 August 2003 > > =========================================================================== > > AusCERT Security Bulletin Summary > --------------------------------- > > Product: GNU Software > Publisher: CERT/CC > Impact: Root Compromise > Execute Arbitrary Code/Commands > Access Required: Remote > > - --------------------------BEGIN INCLUDED TEXT-------------------- > > - -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2003-21 GNU Project FTP Server Compromise > > Original issue date: August 13, 2003 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > > Overview > > The CERT/CC has received a report that the system housing the primary > FTP servers for the GNU software project was compromised. > > I. Description > > The GNU Project, principally sponsored by the Free Software Foundation > (FSF), produces a variety of freely available software. The CERT/CC > has learned that the system housing the primary FTP servers for the > GNU software project, gnuftp.gnu.org, was root compromised by an > intruder. The more common host names of ftp.gnu.org and alpha.gnu.org > are aliases for the same compromised system. The compromise is > reported to have occurred in March of 2003. > > The FSF has released an announcement describing the incident. > > Because this system serves as a centralized archive of popular > software, the insertion of malicious code into the distributed > software is a serious threat. As the above announcement indicates, > however, no source code distributions are believed to have been> > maliciously modified at this time. > > II. Impact > > The potential exists for an intruder to have inserted back doors, > Trojan horses, or other malicious code into the source code > distributions of software housed on the compromised system. > > III. Solution > > We encourage sites using the GNU software obtained from the > compromised system to verify the integrity of their distribution. > > Sites that mirror the source code are encouraged to verify the > integrity of their sources. We also encourage users to inspect any and > all other software that may have been downloaded from the compromised > site. Note that it is not always sufficient to rely on the timestamps > or file sizes when trying to determine whether or not a copy of the > file has been modified. > > Verifying checksums > > The FSF has produced PGP-signed lists of known-good MD5 hashes of the > software packages housed on the compromised server. These lists can be > found at > > ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > > Note that both of these files and the announcement above are signed by > Bradley Kuhn, Executive Director of the FSF, with the following PGP > key: > > pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org> > Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 B387 > uid Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org> > uid Bradley M. Kuhn <bkuhn@gnu.org> > sub 2048g/75CA9CB3 1999-12-09 > > The CERT/CC believes this key to be valid. > > As a matter of good security practice, the CERT/CC encourages users to > verify, whenever possible, the integrity of downloaded software. For > more information, see IN-2001-06. > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Free Software Foundation > > > The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have > all been verified, and their md5sums and the reasons we believe the > md5sums can be trusted are in: > > ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > > We are updating that file and the site as we confirm good md5sums of > additional files. It is theoretically possible that downloads between > March 2003 and July 2003 might have been source-compromised, so we > encourage everyone to re-download sources and compare with the current > copies for files on the site. > > Appendix B. References > > * FSF announcement regarding the incident - > ftp://ftp.gnu.org/MISSING-FILES.README > * CERT Incident Note IN-2001-06 - > http://www.cert.org/incident_notes/IN-2001-06.html > _________________________________________________________________ > > The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free Software > Foundation for their timely assistance in this matter. > _________________________________________________________________ > > Feedback can be directed to the author: Chad Dougherty. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2003-21.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989> > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > ______________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History > August 13, 2003: Initial release > > - -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt > QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r > S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ > OeyQrFbsq54= > =/72G > - -----END PGP SIGNATURE----- > > - --------------------------END INCLUDED TEXT-------------------- > > You have received this e-mail bulletin as a result of your organisation's > registration with AusCERT. The mailing list you are subscribed to is > maintained within your organisation, so if you do not wish to continue > receiving these bulletins you should contact your local IT manager. If > you do not know who that is, please send an email to auscert@auscert.org.au > and we will forward your request to the appropriate person. > > This security bulletin is provided as a service to AusCERT's members. As > AusCERT did not write the document quoted above, AusCERT has had no control > over its content. The decision to follow or act on information or advice > contained in this security bulletin is the responsibility of each user or > organisation, and should be considered in accordance with your organisation's > site policies and procedures. AusCERT takes no responsibility for consequences > which may arise from following or acting on information or advice contained in > this security bulletin. > > NOTE: This is only the original release of the security bulletin. It may > not be updated when updates to the original are made. If downloading at > a later date, it is recommended that the bulletin is retrieved directly > from the author's website to ensure that the information is still current. > > Contact information for the authors of the original document is included > in the Security Bulletin above. If you have any questions or need further> > information, please contact them directly. > > Previous advisories and external security bulletins can be retrieved from: > > http://www.auscert.org.au/render.html?cid=1980 > > If you believe that your computer system has been compromised or attacked in > any way, we encourage you to let us know by completing the secure National IT > Incident Reporting Form at: > > http://www.auscert.org.au/render.html?it=3192 > > Internet Email: auscert@auscert.org.au > Facsimile: (07) 3365 7031 > Telephone: (07) 3365 4417 (International: +61 7 3365 4417) > AusCERT personnel answer during Queensland business > hours which are GMT+10:00 (AEST). On call after hours > for member emergencies only. > -----BEGIN PGP SIGNATURE----- > Comment: http://www.auscert.org.au/render.html?it=1967 > > iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8 > P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx > q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw > 1iSJeKfo/Mg= > =pn8Y > -----END PGP SIGNATURE-----
any idea what version of ftp they are/were running? I may be blind, but I
dont' see it in the announce, and its not showing up when you ftp into
them :( We're running a fairly recent wu-ftpd, but just want to make
sure:
Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003
On Thu, 14 Aug 2003, Justin Clift wrote:
> Hi guys,
>
> Not sure if people have or haven't seen this already.
>
> The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently.
>
> :-(
>
> Regards and best wishes,
>
> Justin Clift
>
>
> > -----Original Message-----
> > From: auscert@auscert.org.au
> > Sent: Thursday, 14 August 2003 1:59 pm
> > To: auscert-subscriber@auscert.org.au
> > Subject: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > ===========================================================================
> > AUSCERT External Security Bulletin Redistribution
> >
> > ESB-2003.0563 -- CERT Advisory CA-2003-21
> > GNU Project FTP Server Compromise
> > 14 August 2003
> >
> > ===========================================================================
> >
> > AusCERT Security Bulletin Summary
> > ---------------------------------
> >
> > Product: GNU Software
> > Publisher: CERT/CC
> > Impact: Root Compromise
> > Execute Arbitrary Code/Commands
> > Access Required: Remote
> >
> > - --------------------------BEGIN INCLUDED TEXT--------------------
> >
> > - -----BEGIN PGP SIGNED MESSAGE-----
> >
> > CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
> >
> > Original issue date: August 13, 2003
> > Last revised: --
> > Source: CERT/CC
> >
> > A complete revision history is at the end of this file.
> >
> > Overview
> >
> > The CERT/CC has received a report that the system housing the primary
> > FTP servers for the GNU software project was compromised.
> >
> > I. Description
> >
> > The GNU Project, principally sponsored by the Free Software Foundation
> > (FSF), produces a variety of freely available software. The CERT/CC
> > has learned that the system housing the primary FTP servers for the
> > GNU software project, gnuftp.gnu.org, was root compromised by an
> > intruder. The more common host names of ftp.gnu.org and alpha.gnu.org
> > are aliases for the same compromised system. The compromise is
> > reported to have occurred in March of 2003.
> >
> > The FSF has released an announcement describing the incident.
> >
> > Because this system serves as a centralized archive of popular
> > software, the insertion of malicious code into the distributed
> > software is a serious threat. As the above announcement indicates,
> > however, no source code distributions are believed to have been>
> > maliciously modified at this time.
> >
> > II. Impact
> >
> > The potential exists for an intruder to have inserted back doors,
> > Trojan horses, or other malicious code into the source code
> > distributions of software housed on the compromised system.
> >
> > III. Solution
> >
> > We encourage sites using the GNU software obtained from the
> > compromised system to verify the integrity of their distribution.
> >
> > Sites that mirror the source code are encouraged to verify the
> > integrity of their sources. We also encourage users to inspect any and
> > all other software that may have been downloaded from the compromised
> > site. Note that it is not always sufficient to rely on the timestamps
> > or file sizes when trying to determine whether or not a copy of the
> > file has been modified.
> >
> > Verifying checksums
> >
> > The FSF has produced PGP-signed lists of known-good MD5 hashes of the
> > software packages housed on the compromised server. These lists can be
> > found at
> >
> > ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> > ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >
> > Note that both of these files and the announcement above are signed by
> > Bradley Kuhn, Executive Director of the FSF, with the following PGP
> > key:
> >
> > pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org>
> > Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 B387
> > uid Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org>
> > uid Bradley M. Kuhn <bkuhn@gnu.org>
> > sub 2048g/75CA9CB3 1999-12-09
> >
> > The CERT/CC believes this key to be valid.
> >
> > As a matter of good security practice, the CERT/CC encourages users to
> > verify, whenever possible, the integrity of downloaded software. For
> > more information, see IN-2001-06.
> >
> > Appendix A. - Vendor Information
> >
> > This appendix contains information provided by vendors for this
> > advisory. As vendors report new information to the CERT/CC, we will
> > update this section and note the changes in our revision history. If a
> > particular vendor is not listed below, we have not received their
> > comments.
> >
> > Free Software Foundation
> >
> >
> > The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have
> > all been verified, and their md5sums and the reasons we believe the
> > md5sums can be trusted are in:
> >
> > ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> > ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >
> > We are updating that file and the site as we confirm good md5sums of
> > additional files. It is theoretically possible that downloads between
> > March 2003 and July 2003 might have been source-compromised, so we
> > encourage everyone to re-download sources and compare with the current
> > copies for files on the site.
> >
> > Appendix B. References
> >
> > * FSF announcement regarding the incident -
> > ftp://ftp.gnu.org/MISSING-FILES.README
> > * CERT Incident Note IN-2001-06 -
> > http://www.cert.org/incident_notes/IN-2001-06.html
> > _________________________________________________________________
> >
> > The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free Software
> > Foundation for their timely assistance in this matter.
> > _________________________________________________________________
> >
> > Feedback can be directed to the author: Chad Dougherty.
> > ______________________________________________________________________
> >
> > This document is available from:
> > http://www.cert.org/advisories/CA-2003-21.html
> > ______________________________________________________________________
> >
> > CERT/CC Contact Information
> >
> > Email: cert@cert.org
> > Phone: +1 412-268-7090 (24-hour hotline)
> > Fax: +1 412-268-6989>
> > Postal address:
> > CERT Coordination Center
> > Software Engineering Institute
> > Carnegie Mellon University
> > Pittsburgh PA 15213-3890
> > U.S.A.
> >
> > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> > EDT(GMT-4) Monday through Friday; they are on call for emergencies
> > during other hours, on U.S. holidays, and on weekends.
> >
> > Using encryption
> >
> > We strongly urge you to encrypt sensitive information sent by email.
> > Our public PGP key is available from
> > http://www.cert.org/CERT_PGP.key
> >
> > If you prefer to use DES, please call the CERT hotline for more
> > information.
> >
> > Getting security information
> >
> > CERT publications and other security information are available from
> > our web site
> > http://www.cert.org/
> >
> > To subscribe to the CERT mailing list for advisories and bulletins,
> > send email to majordomo@cert.org. Please include in the body of your
> > message
> >
> > subscribe cert-advisory
> >
> > * "CERT" and "CERT Coordination Center" are registered in the U.S.
> > Patent and Trademark Office.
> > ______________________________________________________________________
> >
> > NO WARRANTY
> > Any material furnished by Carnegie Mellon University and the Software
> > Engineering Institute is furnished on an "as is" basis. Carnegie
> > Mellon University makes no warranties of any kind, either expressed or
> > implied as to any matter including, but not limited to, warranty of
> > fitness for a particular purpose or merchantability, exclusivity or
> > results obtained from use of the material. Carnegie Mellon University
> > does not make any warranty of any kind with respect to freedom from
> > patent, trademark, or copyright infringement.
> > ______________________________________________________________________
> >
> > Conditions for use, disclaimers, and sponsorship information
> >
> > Copyright 2002 Carnegie Mellon University.
> >
> > Revision History
> > August 13, 2003: Initial release
> >
> > - -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.8
> >
> > iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
> > QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
> > S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
> > OeyQrFbsq54=
> > =/72G
> > - -----END PGP SIGNATURE-----
> >
> > - --------------------------END INCLUDED TEXT--------------------
> >
> > You have received this e-mail bulletin as a result of your organisation's
> > registration with AusCERT. The mailing list you are subscribed to is
> > maintained within your organisation, so if you do not wish to continue
> > receiving these bulletins you should contact your local IT manager. If
> > you do not know who that is, please send an email to auscert@auscert.org.au
> > and we will forward your request to the appropriate person.
> >
> > This security bulletin is provided as a service to AusCERT's members. As
> > AusCERT did not write the document quoted above, AusCERT has had no control
> > over its content. The decision to follow or act on information or advice
> > contained in this security bulletin is the responsibility of each user or
> > organisation, and should be considered in accordance with your organisation's
> > site policies and procedures. AusCERT takes no responsibility for consequences
> > which may arise from following or acting on information or advice contained in
> > this security bulletin.
> >
> > NOTE: This is only the original release of the security bulletin. It may
> > not be updated when updates to the original are made. If downloading at
> > a later date, it is recommended that the bulletin is retrieved directly
> > from the author's website to ensure that the information is still current.
> >
> > Contact information for the authors of the original document is included
> > in the Security Bulletin above. If you have any questions or need further>
> > information, please contact them directly.
> >
> > Previous advisories and external security bulletins can be retrieved from:
> >
> > http://www.auscert.org.au/render.html?cid=1980
> >
> > If you believe that your computer system has been compromised or attacked in
> > any way, we encourage you to let us know by completing the secure National IT
> > Incident Reporting Form at:
> >
> > http://www.auscert.org.au/render.html?it=3192
> >
> > Internet Email: auscert@auscert.org.au
> > Facsimile: (07) 3365 7031
> > Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
> > AusCERT personnel answer during Queensland business
> > hours which are GMT+10:00 (AEST). On call after hours
> > for member emergencies only.
> > -----BEGIN PGP SIGNATURE-----
> > Comment: http://www.auscert.org.au/render.html?it=1967
> >
> > iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8
> > P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx
> > q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw
> > 1iSJeKfo/Mg=
> > =pn8Y
> > -----END PGP SIGNATURE-----
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>
Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
Ouch. Wu-FTPd has probably the worst track record on the planet for FTP vulnerabilities. :( There are quite a few others out there. From memory, Red Hat 9 has changed to one called "VSFTPd" by default. Personally, in regards to knowing which FTP server is the best, I'm better to leave it to others to figure that one out. :) Regards and best wishes, Justin Clift The Hermit Hacker wrote: > any idea what version of ftp they are/were running? I may be blind, but I > dont' see it in the announce, and its not showing up when you ftp into > them :( We're running a fairly recent wu-ftpd, but just want to make > sure: > > Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003 > > On Thu, 14 Aug 2003, Justin Clift wrote: > > >>Hi guys, >> >>Not sure if people have or haven't seen this already. >> >>The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently. >> >>:-( >> >>Regards and best wishes, >> >>Justin Clift >> >> >> >>>-----Original Message----- >>>From: auscert@auscert.org.au >>>Sent: Thursday, 14 August 2003 1:59 pm >>>To: auscert-subscriber@auscert.org.au >>>Subject: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise >>> >>>-----BEGIN PGP SIGNED MESSAGE----- >>> >>>=========================================================================== >>> AUSCERT External Security Bulletin Redistribution >>> >>> ESB-2003.0563 -- CERT Advisory CA-2003-21 >>> GNU Project FTP Server Compromise >>> 14 August 2003 >>> >>>=========================================================================== >>> >>> AusCERT Security Bulletin Summary >>> --------------------------------- >>> >>>Product: GNU Software >>>Publisher: CERT/CC >>>Impact: Root Compromise >>> Execute Arbitrary Code/Commands >>>Access Required: Remote >>> >>>- --------------------------BEGIN INCLUDED TEXT-------------------- >>> >>>- -----BEGIN PGP SIGNED MESSAGE----- >>> >>>CERT Advisory CA-2003-21 GNU Project FTP Server Compromise >>> >>> Original issue date: August 13, 2003 >>> Last revised: -- >>> Source: CERT/CC >>> >>> A complete revision history is at the end of this file. >>> >>>Overview >>> >>> The CERT/CC has received a report that the system housing the primary >>> FTP servers for the GNU software project was compromised. >>> >>>I. Description >>> >>> The GNU Project, principally sponsored by the Free Software Foundation >>> (FSF), produces a variety of freely available software. The CERT/CC >>> has learned that the system housing the primary FTP servers for the >>> GNU software project, gnuftp.gnu.org, was root compromised by an >>> intruder. The more common host names of ftp.gnu.org and alpha.gnu.org >>> are aliases for the same compromised system. The compromise is >>> reported to have occurred in March of 2003. >>> >>> The FSF has released an announcement describing the incident. >>> >>> Because this system serves as a centralized archive of popular >>> software, the insertion of malicious code into the distributed >>> software is a serious threat. As the above announcement indicates, >>> however, no source code distributions are believed to have been> >>> maliciously modified at this time. >>> >>>II. Impact >>> >>> The potential exists for an intruder to have inserted back doors, >>> Trojan horses, or other malicious code into the source code >>> distributions of software housed on the compromised system. >>> >>>III. Solution >>> >>> We encourage sites using the GNU software obtained from the >>> compromised system to verify the integrity of their distribution. >>> >>> Sites that mirror the source code are encouraged to verify the >>> integrity of their sources. We also encourage users to inspect any and >>> all other software that may have been downloaded from the compromised >>> site. Note that it is not always sufficient to rely on the timestamps >>> or file sizes when trying to determine whether or not a copy of the >>> file has been modified. >>> >>>Verifying checksums >>> >>> The FSF has produced PGP-signed lists of known-good MD5 hashes of the >>> software packages housed on the compromised server. These lists can be >>> found at >>> >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc >>> >>> Note that both of these files and the announcement above are signed by >>> Bradley Kuhn, Executive Director of the FSF, with the following PGP >>> key: >>> >>>pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org> >>> Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 B387 >>>uid Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org> >>>uid Bradley M. Kuhn <bkuhn@gnu.org> >>>sub 2048g/75CA9CB3 1999-12-09 >>> >>> The CERT/CC believes this key to be valid. >>> >>> As a matter of good security practice, the CERT/CC encourages users to >>> verify, whenever possible, the integrity of downloaded software. For >>> more information, see IN-2001-06. >>> >>>Appendix A. - Vendor Information >>> >>> This appendix contains information provided by vendors for this >>> advisory. As vendors report new information to the CERT/CC, we will >>> update this section and note the changes in our revision history. If a >>> particular vendor is not listed below, we have not received their >>> comments. >>> >>>Free Software Foundation >>> >>> >>> The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have >>> all been verified, and their md5sums and the reasons we believe the >>> md5sums can be trusted are in: >>> >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc >>> >>> We are updating that file and the site as we confirm good md5sums of >>> additional files. It is theoretically possible that downloads between >>> March 2003 and July 2003 might have been source-compromised, so we >>> encourage everyone to re-download sources and compare with the current >>> copies for files on the site. >>> >>>Appendix B. References >>> >>> * FSF announcement regarding the incident - >>> ftp://ftp.gnu.org/MISSING-FILES.README >>> * CERT Incident Note IN-2001-06 - >>> http://www.cert.org/incident_notes/IN-2001-06.html >>> _________________________________________________________________ >>> >>> The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free Software >>> Foundation for their timely assistance in this matter. >>> _________________________________________________________________ >>> >>> Feedback can be directed to the author: Chad Dougherty. >>> ______________________________________________________________________ >>> >>> This document is available from: >>> http://www.cert.org/advisories/CA-2003-21.html >>> ______________________________________________________________________ >>> >>>CERT/CC Contact Information >>> >>> Email: cert@cert.org >>> Phone: +1 412-268-7090 (24-hour hotline) >>> Fax: +1 412-268-6989> >>> Postal address: >>> CERT Coordination Center >>> Software Engineering Institute >>> Carnegie Mellon University >>> Pittsburgh PA 15213-3890 >>> U.S.A. >>> >>> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / >>> EDT(GMT-4) Monday through Friday; they are on call for emergencies >>> during other hours, on U.S. holidays, and on weekends. >>> >>>Using encryption >>> >>> We strongly urge you to encrypt sensitive information sent by email. >>> Our public PGP key is available from >>> http://www.cert.org/CERT_PGP.key >>> >>> If you prefer to use DES, please call the CERT hotline for more >>> information. >>> >>>Getting security information >>> >>> CERT publications and other security information are available from >>> our web site >>> http://www.cert.org/ >>> >>> To subscribe to the CERT mailing list for advisories and bulletins, >>> send email to majordomo@cert.org. Please include in the body of your >>> message >>> >>> subscribe cert-advisory >>> >>> * "CERT" and "CERT Coordination Center" are registered in the U.S. >>> Patent and Trademark Office. >>> ______________________________________________________________________ >>> >>> NO WARRANTY >>> Any material furnished by Carnegie Mellon University and the Software >>> Engineering Institute is furnished on an "as is" basis. Carnegie >>> Mellon University makes no warranties of any kind, either expressed or >>> implied as to any matter including, but not limited to, warranty of >>> fitness for a particular purpose or merchantability, exclusivity or >>> results obtained from use of the material. Carnegie Mellon University >>> does not make any warranty of any kind with respect to freedom from >>> patent, trademark, or copyright infringement. >>> ______________________________________________________________________ >>> >>> Conditions for use, disclaimers, and sponsorship information >>> >>> Copyright 2002 Carnegie Mellon University. >>> >>> Revision History >>>August 13, 2003: Initial release >>> >>>- -----BEGIN PGP SIGNATURE----- >>>Version: PGP 6.5.8 >>> >>>iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt >>>QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r >>>S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ >>>OeyQrFbsq54= >>>=/72G >>>- -----END PGP SIGNATURE----- >>> >>>- --------------------------END INCLUDED TEXT-------------------- >>> >>>You have received this e-mail bulletin as a result of your organisation's >>>registration with AusCERT. The mailing list you are subscribed to is >>>maintained within your organisation, so if you do not wish to continue >>>receiving these bulletins you should contact your local IT manager. If >>>you do not know who that is, please send an email to auscert@auscert.org.au >>>and we will forward your request to the appropriate person. >>> >>>This security bulletin is provided as a service to AusCERT's members. As >>>AusCERT did not write the document quoted above, AusCERT has had no control >>>over its content. The decision to follow or act on information or advice >>>contained in this security bulletin is the responsibility of each user or >>>organisation, and should be considered in accordance with your organisation's >>>site policies and procedures. AusCERT takes no responsibility for consequences >>>which may arise from following or acting on information or advice contained in >>>this security bulletin. >>> >>>NOTE: This is only the original release of the security bulletin. It may >>>not be updated when updates to the original are made. If downloading at >>>a later date, it is recommended that the bulletin is retrieved directly >>>from the author's website to ensure that the information is still current. >>> >>>Contact information for the authors of the original document is included >>>in the Security Bulletin above. If you have any questions or need further> >>>information, please contact them directly. >>> >>>Previous advisories and external security bulletins can be retrieved from: >>> >>> http://www.auscert.org.au/render.html?cid=1980 >>> >>>If you believe that your computer system has been compromised or attacked in >>>any way, we encourage you to let us know by completing the secure National IT >>>Incident Reporting Form at: >>> >>> http://www.auscert.org.au/render.html?it=3192 >>> >>>Internet Email: auscert@auscert.org.au >>>Facsimile: (07) 3365 7031 >>>Telephone: (07) 3365 4417 (International: +61 7 3365 4417) >>> AusCERT personnel answer during Queensland business >>> hours which are GMT+10:00 (AEST). On call after hours >>> for member emergencies only. >>>-----BEGIN PGP SIGNATURE----- >>>Comment: http://www.auscert.org.au/render.html?it=1967 >>> >>>iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8 >>>P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx >>>q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw >>>1iSJeKfo/Mg= >>>=pn8Y >>>-----END PGP SIGNATURE----- >> >> >>---------------------------(end of broadcast)--------------------------- >>TIP 2: you can get off all lists at once with the unregister command >> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) >> > > > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy > Systems Administrator @ hub.org > primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
On Thu, Aug 14, 2003 at 02:09:32PM +0800, Justin Clift wrote: > Wu-FTPd has probably the worst track record on the planet for FTP > vulnerabilities. Actually, the cracker didn't even use an ftpd security hole, apparently: ----- A root compromise and a Trojan horse were discovered on gnuftp.gnu.org, the FTP server of the GNU project. The machine appears to have been cracked in March 2003, but we only discovered the crack in the last week of July 2003. The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines. It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted. (For the ptrace bug, a root-shell exploit was available on 17 March 2003, and a working fix was not available on linux-kernel until the following week. Evidence found on the machine indicates that gnuftp was cracked during that week.) ----- Besides, this is OT for this list anyway. -Neil
I have been running ProFTPD (www.proftpd.net) on all my servers for over 5 years now, including ftp3.ca. ProFTPD has apache like configuration as well as modular expandability, can be configured to run as a stand alone daemon, or through inetd and runs as an unprivlidged user. On Wednesday 13 August 2003 23:09, Justin Clift wrote: > Ouch. > > Wu-FTPd has probably the worst track record on the planet for FTP > vulnerabilities. > > :( > > There are quite a few others out there. From memory, Red Hat 9 has changed > to one called "VSFTPd" by default. > > Personally, in regards to knowing which FTP server is the best, I'm better > to leave it to others to figure that one out. > > :) > > Regards and best wishes, > > Justin Clift > > The Hermit Hacker wrote: > > any idea what version of ftp they are/were running? I may be blind, but > > I dont' see it in the announce, and its not showing up when you ftp into > > them :( We're running a fairly recent wu-ftpd, but just want to make > > sure: > > > > Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003 > > > > On Thu, 14 Aug 2003, Justin Clift wrote: > >>Hi guys, > >> > >>Not sure if people have or haven't seen this already. > >> > >>The GNU Project's FTP servers were root compromised some time ago, and it > >> was only discovered recently. > >> > >>:-( > >> > >>Regards and best wishes, > >> > >>Justin Clift > >> > >>>-----Original Message----- > >>>From: auscert@auscert.org.au > >>>Sent: Thursday, 14 August 2003 1:59 pm > >>>To: auscert-subscriber@auscert.org.au > >>>Subject: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project > >>> FTP Server Compromise > >>> > >>>-----BEGIN PGP SIGNED MESSAGE----- > >>> > >>>======================================================================== > >>>=== AUSCERT External Security Bulletin Redistribution > >>> > >>> ESB-2003.0563 -- CERT Advisory CA-2003-21 > >>> GNU Project FTP Server Compromise > >>> 14 August 2003 > >>> > >>>======================================================================== > >>>=== > >>> > >>> AusCERT Security Bulletin Summary > >>> --------------------------------- > >>> > >>>Product: GNU Software > >>>Publisher: CERT/CC > >>>Impact: Root Compromise > >>> Execute Arbitrary Code/Commands > >>>Access Required: Remote > >>> > >>>- --------------------------BEGIN INCLUDED TEXT-------------------- > >>> > >>>- -----BEGIN PGP SIGNED MESSAGE----- > >>> > >>>CERT Advisory CA-2003-21 GNU Project FTP Server Compromise > >>> > >>> Original issue date: August 13, 2003 > >>> Last revised: -- > >>> Source: CERT/CC > >>> > >>> A complete revision history is at the end of this file. > >>> > >>>Overview > >>> > >>> The CERT/CC has received a report that the system housing the > >>> primary FTP servers for the GNU software project was compromised. > >>> > >>>I. Description > >>> > >>> The GNU Project, principally sponsored by the Free Software > >>> Foundation (FSF), produces a variety of freely available software. > >>> The CERT/CC has learned that the system housing the primary FTP > >>> servers for the GNU software project, gnuftp.gnu.org, was root > >>> compromised by an intruder. The more common host names of ftp.gnu.org > >>> and alpha.gnu.org are aliases for the same compromised system. > >>> The compromise is reported to have occurred in March of 2003. > >>> > >>> The FSF has released an announcement describing the incident. > >>> > >>> Because this system serves as a centralized archive of > >>> popular software, the insertion of malicious code into the > >>> distributed software is a serious threat. As the above announcement > >>> indicates, however, no source code distributions are believed to > >>> have been> maliciously modified at this time. > >>> > >>>II. Impact > >>> > >>> The potential exists for an intruder to have inserted back > >>> doors, Trojan horses, or other malicious code into the source > >>> code distributions of software housed on the compromised system. > >>> > >>>III. Solution > >>> > >>> We encourage sites using the GNU software obtained from > >>> the compromised system to verify the integrity of their distribution. > >>> > >>> Sites that mirror the source code are encouraged to verify > >>> the integrity of their sources. We also encourage users to inspect any > >>> and all other software that may have been downloaded from the > >>> compromised site. Note that it is not always sufficient to rely on the > >>> timestamps or file sizes when trying to determine whether or not a > >>> copy of the file has been modified. > >>> > >>>Verifying checksums > >>> > >>> The FSF has produced PGP-signed lists of known-good MD5 hashes of > >>> the software packages housed on the compromised server. These lists can > >>> be found at > >>> > >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > >>> > >>> Note that both of these files and the announcement above are signed > >>> by Bradley Kuhn, Executive Director of the FSF, with the following > >>> PGP key: > >>> > >>>pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org> > >>> Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 > >>> B387 uid Bradley M. Kuhn (bkuhn99) > >>> <bkuhn@ebb.org> uid Bradley M. Kuhn > >>> <bkuhn@gnu.org> > >>>sub 2048g/75CA9CB3 1999-12-09 > >>> > >>> The CERT/CC believes this key to be valid. > >>> > >>> As a matter of good security practice, the CERT/CC encourages users > >>> to verify, whenever possible, the integrity of downloaded software. > >>> For more information, see IN-2001-06. > >>> > >>>Appendix A. - Vendor Information > >>> > >>> This appendix contains information provided by vendors for > >>> this advisory. As vendors report new information to the CERT/CC, we > >>> will update this section and note the changes in our revision history. > >>> If a particular vendor is not listed below, we have not received > >>> their comments. > >>> > >>>Free Software Foundation > >>> > >>> > >>> The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 > >>> have all been verified, and their md5sums and the reasons we believe > >>> the md5sums can be trusted are in: > >>> > >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > >>> > >>> We are updating that file and the site as we confirm good md5sums of > >>> additional files. It is theoretically possible that downloads > >>> between March 2003 and July 2003 might have been source-compromised, so > >>> we encourage everyone to re-download sources and compare with the > >>> current copies for files on the site. > >>> > >>>Appendix B. References > >>> > >>> * FSF announcement regarding the incident > >>> - ftp://ftp.gnu.org/MISSING-FILES.README > >>> * CERT Incident Note IN-2001-06 - > >>> http://www.cert.org/incident_notes/IN-2001-06.html > >>> _________________________________________________________________ > >>> > >>> The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free > >>> Software Foundation for their timely assistance in this matter. > >>> _________________________________________________________________ > >>> > >>> Feedback can be directed to the author: Chad Dougherty. > >>> > >>> ______________________________________________________________________ > >>> > >>> This document is available from: > >>> http://www.cert.org/advisories/CA-2003-21.html > >>> > >>> ______________________________________________________________________ > >>> > >>>CERT/CC Contact Information > >>> > >>> Email: cert@cert.org > >>> Phone: +1 412-268-7090 (24-hour hotline) > >>> Fax: +1 412-268-6989> > >>> Postal address: > >>> CERT Coordination Center > >>> Software Engineering Institute > >>> Carnegie Mellon University > >>> Pittsburgh PA 15213-3890 > >>> U.S.A. > >>> > >>> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) > >>> / EDT(GMT-4) Monday through Friday; they are on call for > >>> emergencies during other hours, on U.S. holidays, and on weekends. > >>> > >>>Using encryption > >>> > >>> We strongly urge you to encrypt sensitive information sent by > >>> email. Our public PGP key is available from > >>> http://www.cert.org/CERT_PGP.key > >>> > >>> If you prefer to use DES, please call the CERT hotline for > >>> more information. > >>> > >>>Getting security information > >>> > >>> CERT publications and other security information are available > >>> from our web site > >>> http://www.cert.org/ > >>> > >>> To subscribe to the CERT mailing list for advisories and > >>> bulletins, send email to majordomo@cert.org. Please include in the > >>> body of your message > >>> > >>> subscribe cert-advisory > >>> > >>> * "CERT" and "CERT Coordination Center" are registered in the > >>> U.S. Patent and Trademark Office. > >>> > >>> ______________________________________________________________________ > >>> > >>> NO WARRANTY > >>> Any material furnished by Carnegie Mellon University and the > >>> Software Engineering Institute is furnished on an "as is" basis. > >>> Carnegie Mellon University makes no warranties of any kind, either > >>> expressed or implied as to any matter including, but not limited to, > >>> warranty of fitness for a particular purpose or merchantability, > >>> exclusivity or results obtained from use of the material. Carnegie > >>> Mellon University does not make any warranty of any kind with > >>> respect to freedom from patent, trademark, or copyright infringement. > >>> > >>> ______________________________________________________________________ > >>> > >>> Conditions for use, disclaimers, and sponsorship information > >>> > >>> Copyright 2002 Carnegie Mellon University. > >>> > >>> Revision History > >>>August 13, 2003: Initial release > >>> > >>>- -----BEGIN PGP SIGNATURE----- > >>>Version: PGP 6.5.8 > >>> > >>>iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt > >>>QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r > >>>S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ > >>>OeyQrFbsq54= > >>>=/72G > >>>- -----END PGP SIGNATURE----- > >>> > >>>- --------------------------END INCLUDED TEXT-------------------- > >>> > >>>You have received this e-mail bulletin as a result of your > >>> organisation's registration with AusCERT. The mailing list you are > >>> subscribed to is maintained within your organisation, so if you do not > >>> wish to continue receiving these bulletins you should contact your > >>> local IT manager. If you do not know who that is, please send an email > >>> to auscert@auscert.org.au and we will forward your request to the > >>> appropriate person. > >>> > >>>This security bulletin is provided as a service to AusCERT's members. > >>> As AusCERT did not write the document quoted above, AusCERT has had no > >>> control over its content. The decision to follow or act on information > >>> or advice contained in this security bulletin is the responsibility of > >>> each user or organisation, and should be considered in accordance with > >>> your organisation's site policies and procedures. AusCERT takes no > >>> responsibility for consequences which may arise from following or > >>> acting on information or advice contained in this security bulletin. > >>> > >>>NOTE: This is only the original release of the security bulletin. It > >>> may not be updated when updates to the original are made. If > >>> downloading at a later date, it is recommended that the bulletin is > >>> retrieved directly from the author's website to ensure that the > >>> information is still current. > >>> > >>>Contact information for the authors of the original document is included > >>>in the Security Bulletin above. If you have any questions or need > >>> further> information, please contact them directly. > >>> > >>>Previous advisories and external security bulletins can be retrieved > >>> from: > >>> > >>> http://www.auscert.org.au/render.html?cid=1980 > >>> > >>>If you believe that your computer system has been compromised or > >>> attacked in any way, we encourage you to let us know by completing the > >>> secure National IT Incident Reporting Form at: > >>> > >>> http://www.auscert.org.au/render.html?it=3192 > >>> > >>>Internet Email: auscert@auscert.org.au > >>>Facsimile: (07) 3365 7031 > >>>Telephone: (07) 3365 4417 (International: +61 7 3365 4417) > >>> AusCERT personnel answer during Queensland business > >>> hours which are GMT+10:00 (AEST). On call after hours > >>> for member emergencies only. > >>>-----BEGIN PGP SIGNATURE----- > >>>Comment: http://www.auscert.org.au/render.html?it=1967 > >>> > >>>iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8 > >>>P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx > >>>q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw > >>>1iSJeKfo/Mg= > >>>=pn8Y > >>>-----END PGP SIGNATURE----- > >> > >>---------------------------(end of broadcast)--------------------------- > >>TIP 2: you can get off all lists at once with the unregister command > >> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > > > Marc G. Fournier ICQ#7615664 IRC Nick: > > Scrappy Systems Administrator @ hub.org > > primary: scrappy@hub.org secondary: > > scrappy@{freebsd|postgresql}.org > > ---------------------------(end of broadcast)--------------------------- > TIP 9: the planner will ignore your desire to choose an index scan if your > joining column's datatypes do not match -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com
Agreed on Wu-FTP problems. BSD/OS switched to away from it long ago. Glad Red Hat has done the same. --------------------------------------------------------------------------- Justin Clift wrote: > Ouch. > > Wu-FTPd has probably the worst track record on the planet for FTP vulnerabilities. > > :( > > There are quite a few others out there. From memory, Red Hat 9 has changed to one called "VSFTPd" by default. > > Personally, in regards to knowing which FTP server is the best, I'm better to leave it to others to figure that one out. > > :) > > Regards and best wishes, > > Justin Clift > > > The Hermit Hacker wrote: > > any idea what version of ftp they are/were running? I may be blind, but I > > dont' see it in the announce, and its not showing up when you ftp into > > them :( We're running a fairly recent wu-ftpd, but just want to make > > sure: > > > > Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003 > > > > On Thu, 14 Aug 2003, Justin Clift wrote: > > > > > >>Hi guys, > >> > >>Not sure if people have or haven't seen this already. > >> > >>The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently. > >> > >>:-( > >> > >>Regards and best wishes, > >> > >>Justin Clift > >> > >> > >> > >>>-----Original Message----- > >>>From: auscert@auscert.org.au > >>>Sent: Thursday, 14 August 2003 1:59 pm > >>>To: auscert-subscriber@auscert.org.au > >>>Subject: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise > >>> > >>>-----BEGIN PGP SIGNED MESSAGE----- > >>> > >>>=========================================================================== > >>> AUSCERT External Security Bulletin Redistribution > >>> > >>> ESB-2003.0563 -- CERT Advisory CA-2003-21 > >>> GNU Project FTP Server Compromise > >>> 14 August 2003 > >>> > >>>=========================================================================== > >>> > >>> AusCERT Security Bulletin Summary > >>> --------------------------------- > >>> > >>>Product: GNU Software > >>>Publisher: CERT/CC > >>>Impact: Root Compromise > >>> Execute Arbitrary Code/Commands > >>>Access Required: Remote > >>> > >>>- --------------------------BEGIN INCLUDED TEXT-------------------- > >>> > >>>- -----BEGIN PGP SIGNED MESSAGE----- > >>> > >>>CERT Advisory CA-2003-21 GNU Project FTP Server Compromise > >>> > >>> Original issue date: August 13, 2003 > >>> Last revised: -- > >>> Source: CERT/CC > >>> > >>> A complete revision history is at the end of this file. > >>> > >>>Overview > >>> > >>> The CERT/CC has received a report that the system housing the primary > >>> FTP servers for the GNU software project was compromised. > >>> > >>>I. Description > >>> > >>> The GNU Project, principally sponsored by the Free Software Foundation > >>> (FSF), produces a variety of freely available software. The CERT/CC > >>> has learned that the system housing the primary FTP servers for the > >>> GNU software project, gnuftp.gnu.org, was root compromised by an > >>> intruder. The more common host names of ftp.gnu.org and alpha.gnu.org > >>> are aliases for the same compromised system. The compromise is > >>> reported to have occurred in March of 2003. > >>> > >>> The FSF has released an announcement describing the incident. > >>> > >>> Because this system serves as a centralized archive of popular > >>> software, the insertion of malicious code into the distributed > >>> software is a serious threat. As the above announcement indicates, > >>> however, no source code distributions are believed to have been> > >>> maliciously modified at this time. > >>> > >>>II. Impact > >>> > >>> The potential exists for an intruder to have inserted back doors, > >>> Trojan horses, or other malicious code into the source code > >>> distributions of software housed on the compromised system. > >>> > >>>III. Solution > >>> > >>> We encourage sites using the GNU software obtained from the > >>> compromised system to verify the integrity of their distribution. > >>> > >>> Sites that mirror the source code are encouraged to verify the > >>> integrity of their sources. We also encourage users to inspect any and > >>> all other software that may have been downloaded from the compromised > >>> site. Note that it is not always sufficient to rely on the timestamps > >>> or file sizes when trying to determine whether or not a copy of the > >>> file has been modified. > >>> > >>>Verifying checksums > >>> > >>> The FSF has produced PGP-signed lists of known-good MD5 hashes of the > >>> software packages housed on the compromised server. These lists can be > >>> found at > >>> > >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > >>> > >>> Note that both of these files and the announcement above are signed by > >>> Bradley Kuhn, Executive Director of the FSF, with the following PGP > >>> key: > >>> > >>>pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn@fsf.org> > >>> Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 B387 > >>>uid Bradley M. Kuhn (bkuhn99) <bkuhn@ebb.org> > >>>uid Bradley M. Kuhn <bkuhn@gnu.org> > >>>sub 2048g/75CA9CB3 1999-12-09 > >>> > >>> The CERT/CC believes this key to be valid. > >>> > >>> As a matter of good security practice, the CERT/CC encourages users to > >>> verify, whenever possible, the integrity of downloaded software. For > >>> more information, see IN-2001-06. > >>> > >>>Appendix A. - Vendor Information > >>> > >>> This appendix contains information provided by vendors for this > >>> advisory. As vendors report new information to the CERT/CC, we will > >>> update this section and note the changes in our revision history. If a > >>> particular vendor is not listed below, we have not received their > >>> comments. > >>> > >>>Free Software Foundation > >>> > >>> > >>> The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have > >>> all been verified, and their md5sums and the reasons we believe the > >>> md5sums can be trusted are in: > >>> > >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc > >>> > >>> We are updating that file and the site as we confirm good md5sums of > >>> additional files. It is theoretically possible that downloads between > >>> March 2003 and July 2003 might have been source-compromised, so we > >>> encourage everyone to re-download sources and compare with the current > >>> copies for files on the site. > >>> > >>>Appendix B. References > >>> > >>> * FSF announcement regarding the incident - > >>> ftp://ftp.gnu.org/MISSING-FILES.README > >>> * CERT Incident Note IN-2001-06 - > >>> http://www.cert.org/incident_notes/IN-2001-06.html > >>> _________________________________________________________________ > >>> > >>> The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free Software > >>> Foundation for their timely assistance in this matter. > >>> _________________________________________________________________ > >>> > >>> Feedback can be directed to the author: Chad Dougherty. > >>> ______________________________________________________________________ > >>> > >>> This document is available from: > >>> http://www.cert.org/advisories/CA-2003-21.html > >>> ______________________________________________________________________ > >>> > >>>CERT/CC Contact Information > >>> > >>> Email: cert@cert.org > >>> Phone: +1 412-268-7090 (24-hour hotline) > >>> Fax: +1 412-268-6989> > >>> Postal address: > >>> CERT Coordination Center > >>> Software Engineering Institute > >>> Carnegie Mellon University > >>> Pittsburgh PA 15213-3890 > >>> U.S.A. > >>> > >>> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > >>> EDT(GMT-4) Monday through Friday; they are on call for emergencies > >>> during other hours, on U.S. holidays, and on weekends. > >>> > >>>Using encryption > >>> > >>> We strongly urge you to encrypt sensitive information sent by email. > >>> Our public PGP key is available from > >>> http://www.cert.org/CERT_PGP.key > >>> > >>> If you prefer to use DES, please call the CERT hotline for more > >>> information. > >>> > >>>Getting security information > >>> > >>> CERT publications and other security information are available from > >>> our web site > >>> http://www.cert.org/ > >>> > >>> To subscribe to the CERT mailing list for advisories and bulletins, > >>> send email to majordomo@cert.org. Please include in the body of your > >>> message > >>> > >>> subscribe cert-advisory > >>> > >>> * "CERT" and "CERT Coordination Center" are registered in the U.S. > >>> Patent and Trademark Office. > >>> ______________________________________________________________________ > >>> > >>> NO WARRANTY > >>> Any material furnished by Carnegie Mellon University and the Software > >>> Engineering Institute is furnished on an "as is" basis. Carnegie > >>> Mellon University makes no warranties of any kind, either expressed or > >>> implied as to any matter including, but not limited to, warranty of > >>> fitness for a particular purpose or merchantability, exclusivity or > >>> results obtained from use of the material. Carnegie Mellon University > >>> does not make any warranty of any kind with respect to freedom from > >>> patent, trademark, or copyright infringement. > >>> ______________________________________________________________________ > >>> > >>> Conditions for use, disclaimers, and sponsorship information > >>> > >>> Copyright 2002 Carnegie Mellon University. > >>> > >>> Revision History > >>>August 13, 2003: Initial release > >>> > >>>- -----BEGIN PGP SIGNATURE----- > >>>Version: PGP 6.5.8 > >>> > >>>iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt > >>>QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r > >>>S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ > >>>OeyQrFbsq54= > >>>=/72G > >>>- -----END PGP SIGNATURE----- > >>> > >>>- --------------------------END INCLUDED TEXT-------------------- > >>> > >>>You have received this e-mail bulletin as a result of your organisation's > >>>registration with AusCERT. The mailing list you are subscribed to is > >>>maintained within your organisation, so if you do not wish to continue > >>>receiving these bulletins you should contact your local IT manager. If > >>>you do not know who that is, please send an email to auscert@auscert.org.au > >>>and we will forward your request to the appropriate person. > >>> > >>>This security bulletin is provided as a service to AusCERT's members. As > >>>AusCERT did not write the document quoted above, AusCERT has had no control > >>>over its content. The decision to follow or act on information or advice > >>>contained in this security bulletin is the responsibility of each user or > >>>organisation, and should be considered in accordance with your organisation's > >>>site policies and procedures. AusCERT takes no responsibility for consequences > >>>which may arise from following or acting on information or advice contained in > >>>this security bulletin. > >>> > >>>NOTE: This is only the original release of the security bulletin. It may > >>>not be updated when updates to the original are made. If downloading at > >>>a later date, it is recommended that the bulletin is retrieved directly > >>>from the author's website to ensure that the information is still current. > >>> > >>>Contact information for the authors of the original document is included > >>>in the Security Bulletin above. If you have any questions or need further> > >>>information, please contact them directly. > >>> > >>>Previous advisories and external security bulletins can be retrieved from: > >>> > >>> http://www.auscert.org.au/render.html?cid=1980 > >>> > >>>If you believe that your computer system has been compromised or attacked in > >>>any way, we encourage you to let us know by completing the secure National IT > >>>Incident Reporting Form at: > >>> > >>> http://www.auscert.org.au/render.html?it=3192 > >>> > >>>Internet Email: auscert@auscert.org.au > >>>Facsimile: (07) 3365 7031 > >>>Telephone: (07) 3365 4417 (International: +61 7 3365 4417) > >>> AusCERT personnel answer during Queensland business > >>> hours which are GMT+10:00 (AEST). On call after hours > >>> for member emergencies only. > >>>-----BEGIN PGP SIGNATURE----- > >>>Comment: http://www.auscert.org.au/render.html?it=1967 > >>> > >>>iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8 > >>>P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx > >>>q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw > >>>1iSJeKfo/Mg= > >>>=pn8Y > >>>-----END PGP SIGNATURE----- > >> > >> > >>---------------------------(end of broadcast)--------------------------- > >>TIP 2: you can get off all lists at once with the unregister command > >> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > >> > > > > > > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy > > Systems Administrator @ hub.org > > primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073