uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Click here to find out more x
Post Reply  
Thread Tools Search this Thread
01-09-2011, 00:44   #1
Registered User
Join Date: May 2006
Posts: 6,274
Mod: TCD, EMS, ZTest compromised. servers have been compromised.

---------- Forwarded message ----------
From: J.H. <>
Date: 2011/8/29
Subject: [ users] [KORG] Master back-end break-in

Hash: SHA1

Afternoon Everyone,

As you can guess from the subject line, I've not had what many would
consider a "good" day. Earlier today discovered a trojan existing on
HPA's personal colo machine, as well as hera. Upon some investigation
there are a couple of boxes, specifically hera and odin1,
with potential pre-cursors on demeter2, zeus1 and zeus2, that have been
hit by this.

As it stands right now, HPA is working on cleaning his box, and
I'm working on hera (odin1 and zeus1 are out of rotation still for other
reasons), mainly so that if one of us finds something of interest, we
can deal with it and compare notes on the other box.

Points of interest:

- - Break-in seems to have initially occurred no later than August 12th

- - Files belonging to ssh (openssh, openssh-server and openssh-clients)
were modified and running live. These have been uninstalled and
removed, all processes were killed and known good copies were
reinstalled. That said all users may wish to consider taking this
opportunity to change their passwords and update ssh keys (particularly
if you had an ssh private key on hera). This seems to have occurred on
or around August 19th.

- - A trojan startup file was added to rc3.d

- - User interactions were logged, as well as some exploit code. We have
retained this for now.

- - Trojan initially discovered due to the Xnest /dev/mem error message
w/o Xnest installed; have been seen on other systems. It is unclear if
systems that exhibit this message are susceptible, compromised or not.
If you see this, and you don't have Xnest installed, please investigate.

- - It *appears* that 3.1-rc2 might have blocked the exploit injector, we
don't know if this is intentional or a side affect of another bugfix or

- - System is being verified from backups, signatures, etc. As of right
now things look correct, however we may take the system down soon to do
a full reinstall and for more invasive checking.

- - As a precaution a number of packages have been removed from the
system, if something was removed that you were using please let us know
so we can put it back.

- - At this time we do not know the vector that was used to get into the
systems, but the attackers had gained root access level privileges.

That's what we know right now, some of the recent instabilities may have
been caused by these intrusions, and we are looking into everything.

If you are on the box, keep an eye out, and if you see something please
let us know immediately.

Beyond that, verify your git trees and make sure things are correct.

- - John 'Warthog9' Hawley
Chief Administrator
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -

Jonathan is offline  
04-09-2011, 00:46   #2
Registered User
Join Date: Jan 2010
Posts: 5,189
So what is the fallout from this and what does it mean for Linux in general?

It seems fairly major? Even if the damage done is little.
conor.hogan.2 is offline  
04-09-2011, 09:23   #3
Registered User
Johnboy1951's Avatar
Join Date: Feb 2009
Posts: 11,672
Originally Posted by conor.hogan.2 View Post
So what is the fallout from this and what does it mean for Linux in general?

It seems fairly major? Even if the damage done is little.
More a warning against complacency in the future I would think.
Johnboy1951 is offline  
04-09-2011, 10:18   #4
Join Date: Aug 2006
Posts: 1,245
Personally, I am happy to see such. No security system is perfect. We see a practical example of what happens when the unthinkable does happen. That the problem was found and addressed so quickly and importantly - so openly. Well it's good to know.

Can you imagine what happens when this occurs (as it almost certainly does) with closed systems? If the problem is even found; nobody outside of the company, with the exception perhaps of their lawyers, would alerted to the risk. Their EULA most likely absolves them of any effects of a security breach anyway so why bother

Now, I am happy to read such attempts are being found, resolved and the techniques uncovered used to strengthen the security more.
croo is offline  
(4) thanks from:
06-09-2011, 08:21   #5
Join Date: Jun 2005
Posts: 661
Linux Kernel Temporarily Moves to GitHub, After Hack

A successful attack of led to the entire site being shut down temporarily as the team rebuilds the system. So, when the fifth release candidate upcoming Linux 3.1 kernel landed, there was no place to publish it.

This led to Linus Torvalds publishing the latest code on GitHub rather than on the kernel's own git repository. This makes GitHub the current, official home of the Linux kernel, but it's only a temporary solution.
Galen is offline  
06-09-2011, 11:47   #6
Registered User
Join Date: May 2010
Posts: 1,744
It's just another webpage.. I'd be much more worried if someone found a way to forge git commits with malicious content and a proper hash, but that seems to be/is impossible.
PrzemoF is offline  
09-09-2011, 23:14   #7
Registered User
cian1500ww's Avatar
Join Date: Apr 2008
Posts: 2,851
Anyone have any idea when will be back up??
cian1500ww is offline  
11-09-2011, 17:37   #8
Registered User
cian1500ww's Avatar
Join Date: Apr 2008
Posts: 2,851 has also had a security breach:
cian1500ww is offline  
Post Reply

Quick Reply
Remove Text Formatting

Insert Image
Wrap [QUOTE] tags around selected text
Decrease Size
Increase Size
Please sign up or log in to join the discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Share Tweet