> It must be understood that up to this point the attack had not been
> detected. The machines were penetrated and had been successfully subverted.
> The attacks were executed in such a manner that none of the installed
> security mechanisms caught the activity. So why didn't the archives get
> compromised? And how was it that the attack, was even discovered?
This is not correct.
I was the one who had noticed one of the machines(master) kernel oopsing. We thought it might be hardware, so a quick reboot was done.
Soon after reboot, the oops continued.
Then, it was discovered that another machine(murphy) was also having oopsen. Additionally, a non-debian machine started having the same oops. At this time, other admins(I'm just a local admin for master and murphy) were checked, and the breakin was acknowledged.
As for the intrusion programs not detecting anything; they did. AIDE was installed on several machines, and did report file changes. However, one of the debian admins thought another had done a change, and he(the first) hadn't gotten around to asking the other about it yet.
Also, it's interesting to note that not all the infected machines were having kernel oopses.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds