LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Why?

Why?

Posted Dec 2, 2003 18:33 UTC (Tue) by ncm (subscriber, #165)
Parent article: Debian Investigation Report

I don't find any mention of anything the attacker did beyond installing the rootkit itself. Did it get discovered (because of the oopses) before the attacker had a chance to act, or was installing rootkits as far as he wanted to go? If it was a simple tagging, I would expect to find a brag file somewhere. Apparently rooting those boxes was the first step to something else.

Were the compromised boxes just stepping stones to getting to the Debian web servers, or to something more insidious? Is there any evidence?

(Log in to post comments)

Why?

Posted Dec 2, 2003 19:41 UTC (Tue) by holstein (subscriber, #6122) [Link]

I would bet this was a step in having a chance to access and modify the archive itself.

Imagine that : if you could, even if it's only for a few hours before being caught, modify some packages that would be installed here and there on Debian users machines.... Say, something like Exim, Postfix, etc. That could be very usefull for some bad guys.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds