http://www.smh.com.au/articles/2003/12/01/1070127318372.html By Sam Varghese December 1, 2003 A member of the Debian GNU/Linux system administration team believes there is an unknown local root exploit for the Linux kernel circulating in the wild and says it may have been used to compromise four servers belonging to the free software project, after initial unprivileged access was gained by using a sniffed password. Debian is a free operating system which uses the Linux kernel; most of the basic OS tools come from the GNU project hence the name GNU/Linux. The break-in was reported on November 21. An ongoing investigation had shown that a sniffed password was used to initially access the server named klecker, one of four which was compromised, a post to one of the Debian mailing lists, by James Troup, said. Troup said that on November 20, it had been noticed that the kernel on a server called master, which hosts the project's bug tracking system, was doing an oops - something which occurs when the kernel code gets into an unrecoverable state. He said suspicions were aroused when the server named murphy, which hosts the mailing lists, started showing the same error. Three of the servers had an intrusion detection package installed and the admins began to see warnings that certain files had been replaced and that the timestamps for some files had changed. Investigations showed that a rootkit, known as suckit, had been installed. A rootkit is a collection of tools that allows an attacker, among other things, to provide a backdoor into a system, collect information about other systems on the network, and mask the fact that the system is compromised. Based on investigations, Troup said it appeared that on November 19, at approximately 5pm GMT, a sniffed password had been was used to access an (unprivileged) account on one of the servers, klecker. "Somehow they got root on klecker and installed suckit. The same account was then used to log into master and gain root and install suckit there too. They then tried to get to murphy (which runs the mailing lists) with the same account. This failed because murphy is a restricted box that only a small subset of developers can log into," Troup said. "They then used their root access on master to access an administrative account used for backup purposes and used that to gain access to murphy. They got root on murphy and installed suckit there too. The next day they used a password sniffed on master to login into gluck, got root there and installed suckit." Troup said the project team was looking at hardening the servers and tightening up procedures to try and stop such intrusions happening again. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Dec 01 2003 - 04:14:40 PST