User: Password:
Subscribe / Log in / New account

Lessons from the Debian compromise

Lessons from the Debian compromise

Posted Dec 11, 2003 20:40 UTC (Thu) by doogie (subscriber, #2445)
Parent article: Lessons from the Debian compromise

> It must be understood that up to this point the attack had not been
> detected. The machines were penetrated and had been successfully subverted.
> The attacks were executed in such a manner that none of the installed
> security mechanisms caught the activity. So why didn't the archives get
> compromised? And how was it that the attack, was even discovered?

This is not correct.

I was the one who had noticed one of the machines(master) kernel oopsing. We thought it might be hardware, so a quick reboot was done.

Soon after reboot, the oops continued.

Then, it was discovered that another machine(murphy) was also having oopsen. Additionally, a non-debian machine started having the same oops. At this time, other admins(I'm just a local admin for master and murphy) were checked, and the breakin was acknowledged.

As for the intrusion programs not detecting anything; they did. AIDE was installed on several machines, and did report file changes. However, one of the debian admins thought another had done a change, and he(the first) hadn't gotten around to asking the other about it yet.

Also, it's interesting to note that not all the infected machines were having kernel oopses.

(Log in to post comments)

Lessons from the Debian compromise

Posted Dec 11, 2003 22:02 UTC (Thu) by wolfrider (guest, #3105) [Link]

This downtime is getting ridiculous though. is STILL down as of this writing (Thu 2003-12-11) and nothing's coming thru apt-get upgrade.

When will things be back to "normal"?

Lessons from the Debian compromise

Posted Dec 11, 2003 22:47 UTC (Thu) by jordi (subscriber, #14325) [Link]

Getting the services back involves auditing all the scripts that run the services. There are many services at, and there's a priority to get stuff fixed. The Debian admins are doing a good job, and the most critical services were restored quite quickly after the exploit was found. For example, the developers already have access to one of the most important boxes, and have their accounts unlocked in general, which means Debian's pulse, the packages stream, is already in movement once again. And yes, this means there are package updates. You should have been getting new packages for some days already. Maybe your mirror is stale...

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds