[ISN] Sniffed password used for Debian server compromise

From: InfoSec News (isn@private)
Date: Mon Dec 01 2003 - 01:44:20 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - November 28th 2003"

    http://www.smh.com.au/articles/2003/12/01/1070127318372.html
    
    By Sam Varghese
    December 1, 2003
    
    A member of the Debian GNU/Linux system administration team believes 
    there is an unknown local root exploit for the Linux kernel 
    circulating in the wild and says it may have been used to compromise 
    four servers belonging to the free software project, after initial 
    unprivileged access was gained by using a sniffed password. 
    
    Debian is a free operating system which uses the Linux kernel; most of 
    the basic OS tools come from the GNU project hence the name GNU/Linux. 
    The break-in was reported on November 21. 
    
    An ongoing investigation had shown that a sniffed password was used to 
    initially access the server named klecker, one of four which was 
    compromised, a post to one of the Debian mailing lists, by James 
    Troup, said. 
    
    Troup said that on November 20, it had been noticed that the kernel on 
    a server called master, which hosts the project's bug tracking system, 
    was doing an oops - something which occurs when the kernel code gets 
    into an unrecoverable state. 
    
    He said suspicions were aroused when the server named murphy, which 
    hosts the mailing lists, started showing the same error. 
    
    Three of the servers had an intrusion detection package installed and 
    the admins began to see warnings that certain files had been replaced 
    and that the timestamps for some files had changed. Investigations 
    showed that a rootkit, known as suckit, had been installed. 
    
    A rootkit is a collection of tools that allows an attacker, among 
    other things, to provide a backdoor into a system, collect information 
    about other systems on the network, and mask the fact that the system 
    is compromised. 
    
    Based on investigations, Troup said it appeared that on November 19, 
    at approximately 5pm GMT, a sniffed password had been was used to 
    access an (unprivileged) account on one of the servers, klecker. 
    
    "Somehow they got root on klecker and installed suckit. The same 
    account was then used to log into master and gain root and install 
    suckit there too. They then tried to get to murphy (which runs the 
    mailing lists) with the same account. This failed because murphy is a 
    restricted box that only a small subset of developers can log into," 
    Troup said. 
    
    "They then used their root access on master to access an 
    administrative account used for backup purposes and used that to gain 
    access to murphy. They got root on murphy and installed suckit there 
    too. The next day they used a password sniffed on master to login into 
    gluck, got root there and installed suckit."
    
    Troup said the project team was looking at hardening the servers and 
    tightening up procedures to try and stop such intrusions happening 
    again.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 01 2003 - 04:14:40 PST