Lessons from the Debian compromise
Posted Dec 11, 2003 20:40 UTC (Thu) by doogie
Parent article: Lessons from the Debian compromise
> It must be understood that up to this point the attack had not been
> detected. The machines were penetrated and had been successfully subverted.
> The attacks were executed in such a manner that none of the installed
> security mechanisms caught the activity. So why didn't the archives get
> compromised? And how was it that the attack, was even discovered?
This is not correct.
I was the one who had noticed one of the machines(master) kernel oopsing. We thought it might be hardware, so a quick reboot was done.
Soon after reboot, the oops continued.
Then, it was discovered that another machine(murphy) was also having oopsen. Additionally, a non-debian machine started having the same oops. At this time, other admins(I'm just a local admin for master and murphy) were checked, and the breakin was acknowledged.
As for the intrusion programs not detecting anything; they did. AIDE was installed on several machines, and did report file changes. However, one of the debian admins thought another had done a change, and he(the first) hadn't gotten around to asking the other about it yet.
Also, it's interesting to note that not all the infected machines were having kernel oopses.
to post comments)