Skip site navigation (1) Skip section navigation (2)

Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21

From: The Hermit Hacker <scrappy(at)postgresql(dot)org>
To: Justin Clift <justin(at)postgresql(dot)org>
Cc: pgsql-www(at)postgresql(dot)org,PostgreSQL Advocacy and Marketing Mailing List <pgsql-advocacy(at)postgresql(dot)org>
Subject: Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21
Date: 2003-08-14 05:58:06
Message-ID: 20030814025406.Y558@hub.org (view raw or flat)
Thread:
Lists: pgsql-advocacy
any idea what version of ftp they are/were running?  I may be blind, but I
dont' see it in the announce, and its not showing up when you ftp into
them :(  We're running a fairly recent wu-ftpd, but just want to make
sure:

	Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003

On Thu, 14 Aug 2003, Justin Clift wrote:

> Hi guys,
>
> Not sure if people have or haven't seen this already.
>
> The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently.
>
> :-(
>
> Regards and best wishes,
>
> Justin Clift
>
>
> > -----Original Message-----
> > From:	auscert(at)auscert(dot)org(dot)au
> > Sent:	Thursday, 14 August 2003 1:59 pm
> > To:	auscert-subscriber(at)auscert(dot)org(dot)au
> > Subject:	(AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > ===========================================================================
> >              AUSCERT External Security Bulletin Redistribution
> >
> >                  ESB-2003.0563 -- CERT Advisory CA-2003-21
> >                      GNU Project FTP Server Compromise
> >                               14 August 2003
> >
> > ===========================================================================
> >
> >         AusCERT Security Bulletin Summary
> >         ---------------------------------
> >
> > Product:                GNU Software
> > Publisher:              CERT/CC
> > Impact:                 Root Compromise
> >                         Execute Arbitrary Code/Commands
> > Access Required:        Remote
> >
> > - --------------------------BEGIN INCLUDED TEXT--------------------
> >
> > - -----BEGIN PGP SIGNED MESSAGE-----
> >
> > CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
> >
> >    Original issue date: August 13, 2003
> >    Last revised: --
> >    Source: CERT/CC
> >
> >    A complete revision history is at the end of this file.
> >
> > Overview
> >
> >    The  CERT/CC has received a report that the system housing the primary
> >    FTP servers for the GNU software project was compromised.
> >
> > I. Description
> >
> >    The GNU Project, principally sponsored by the Free Software Foundation
> >    (FSF),  produces  a  variety of freely available software. The CERT/CC
> >    has  learned  that  the system housing the primary FTP servers for the
> >    GNU  software  project,  gnuftp.gnu.org,  was  root  compromised by an
> >    intruder.  The more common host names of ftp.gnu.org and alpha.gnu.org
> >    are  aliases  for  the  same  compromised  system.  The  compromise is
> >    reported to have occurred in March of 2003.
> >
> >    The FSF has released an announcement describing the incident.
> >
> >    Because  this  system  serves  as  a  centralized  archive  of popular
> >    software,  the  insertion  of  malicious  code  into  the  distributed
> >    software  is  a  serious  threat. As the above announcement indicates,
> >    however,  no  source  code  distributions  are  believed  to have been>
> >    maliciously modified at this time.
> >
> > II. Impact
> >
> >    The  potential  exists  for  an  intruder to have inserted back doors,
> >    Trojan   horses,   or  other  malicious  code  into  the  source  code
> >    distributions of software housed on the compromised system.
> >
> > III. Solution
> >
> >    We   encourage   sites  using  the  GNU  software  obtained  from  the
> >    compromised system to verify the integrity of their distribution.
> >
> >    Sites  that  mirror  the  source  code  are  encouraged  to verify the
> >    integrity of their sources. We also encourage users to inspect any and
> >    all  other software that may have been downloaded from the compromised
> >    site.  Note that it is not always sufficient to rely on the timestamps
> >    or  file  sizes  when trying to determine whether or not a copy of the
> >    file has been modified.
> >
> > Verifying checksums
> >
> >    The  FSF has produced PGP-signed lists of known-good MD5 hashes of the
> >    software packages housed on the compromised server. These lists can be
> >    found at
> >
> >           ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> >           ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >
> >    Note that both of these files and the announcement above are signed by
> >    Bradley  Kuhn,  Executive  Director of the FSF, with the following PGP
> >    key:
> >
> > pub  1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn(at)fsf(dot)org>
> >      Key fingerprint = 4F40 645E 46BE 0131 48F9  92F6 E775 E324 DB41 B387
> > uid                            Bradley M. Kuhn (bkuhn99) <bkuhn(at)ebb(dot)org>
> > uid                            Bradley M. Kuhn <bkuhn(at)gnu(dot)org>
> > sub  2048g/75CA9CB3 1999-12-09
> >
> >    The CERT/CC believes this key to be valid.
> >
> >    As a matter of good security practice, the CERT/CC encourages users to
> >    verify,  whenever  possible, the integrity of downloaded software. For
> >    more information, see IN-2001-06.
> >
> > Appendix A. - Vendor Information
> >
> >    This  appendix  contains  information  provided  by  vendors  for this
> >    advisory.  As  vendors  report new information to the CERT/CC, we will
> >    update this section and note the changes in our revision history. If a
> >    particular  vendor  is  not  listed  below, we have not received their
> >    comments.
> >
> > Free Software Foundation
> >
> >
> >    The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have
> >    all been verified, and their md5sums and the reasons we believe the
> >    md5sums can be trusted are in:
> >
> >        ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> >        ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >
> >    We are updating that file and the site as we confirm good md5sums of
> >    additional files.  It is theoretically possible that downloads between
> >    March 2003 and July 2003 might have been source-compromised, so we
> >    encourage everyone to re-download sources and compare with the current
> >    copies for files on the site.
> >
> > Appendix B. References
> >
> >      * FSF      announcement      regarding      the      incident      -
> >        ftp://ftp.gnu.org/MISSING-FILES.README
> >      * CERT Incident Note IN-2001-06 -
> >        http://www.cert.org/incident_notes/IN-2001-06.html
> >      _________________________________________________________________
> >
> >    The  CERT/CC  thanks Bradley Kuhn and Brett Smith of the Free Software
> >    Foundation for their timely assistance in this matter.
> >      _________________________________________________________________
> >
> >    Feedback can be directed to the author: Chad Dougherty.
> >    ______________________________________________________________________
> >
> >    This document is available from:
> >    http://www.cert.org/advisories/CA-2003-21.html
> >    ______________________________________________________________________
> >
> > CERT/CC Contact Information
> >
> >    Email: cert(at)cert(dot)org
> >           Phone: +1 412-268-7090 (24-hour hotline)
> >           Fax: +1 412-268-6989>
> >           Postal address:
> >           CERT Coordination Center
> >           Software Engineering Institute
> >           Carnegie Mellon University
> >           Pittsburgh PA 15213-3890
> >           U.S.A.
> >
> >    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
> >    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
> >    during other hours, on U.S. holidays, and on weekends.
> >
> > Using encryption
> >
> >    We  strongly  urge you to encrypt sensitive information sent by email.
> >    Our public PGP key is available from
> >    http://www.cert.org/CERT_PGP.key
> >
> >    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
> >    information.
> >
> > Getting security information
> >
> >    CERT  publications  and  other security information are available from
> >    our web site
> >    http://www.cert.org/
> >
> >    To  subscribe  to  the CERT mailing list for advisories and bulletins,
> >    send  email  to majordomo(at)cert(dot)org(dot) Please include in the body of your
> >    message
> >
> >    subscribe cert-advisory
> >
> >    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
> >    Patent and Trademark Office.
> >    ______________________________________________________________________
> >
> >    NO WARRANTY
> >    Any  material furnished by Carnegie Mellon University and the Software
> >    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
> >    Mellon University makes no warranties of any kind, either expressed or
> >    implied  as  to  any matter including, but not limited to, warranty of
> >    fitness  for  a  particular purpose or merchantability, exclusivity or
> >    results  obtained from use of the material. Carnegie Mellon University
> >    does  not  make  any warranty of any kind with respect to freedom from
> >    patent, trademark, or copyright infringement.
> >    ______________________________________________________________________
> >
> >    Conditions for use, disclaimers, and sponsorship information
> >
> >    Copyright 2002 Carnegie Mellon University.
> >
> >    Revision History
> > August 13, 2003: Initial release
> >
> > - -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.8
> >
> > iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
> > QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
> > S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
> > OeyQrFbsq54=
> > =/72G
> > - -----END PGP SIGNATURE-----
> >
> > - --------------------------END INCLUDED TEXT--------------------
> >
> > You have received this e-mail bulletin as a result of your organisation's
> > registration with AusCERT. The mailing list you are subscribed to is
> > maintained within your organisation, so if you do not wish to continue
> > receiving these bulletins you should contact your local IT manager. If
> > you do not know who that is, please send an email to auscert(at)auscert(dot)org(dot)au
> > and we will forward your request to the appropriate person.
> >
> > This security bulletin is provided as a service to AusCERT's members.  As
> > AusCERT did not write the document quoted above, AusCERT has had no control
> > over its content. The decision to follow or act on information or advice
> > contained in this security bulletin is the responsibility of each user or
> > organisation, and should be considered in accordance with your organisation's
> > site policies and procedures. AusCERT takes no responsibility for consequences
> > which may arise from following or acting on information or advice contained in
> > this security bulletin.
> >
> > NOTE: This is only the original release of the security bulletin.  It may
> > not be updated when updates to the original are made.  If downloading at
> > a later date, it is recommended that the bulletin is retrieved directly
> > from the author's website to ensure that the information is still current.
> >
> > Contact information for the authors of the original document is included
> > in the Security Bulletin above.  If you have any questions or need further>
> > information, please contact them directly.
> >
> > Previous advisories and external security bulletins can be retrieved from:
> >
> >         http://www.auscert.org.au/render.html?cid=1980
> >
> > If you believe that your computer system has been compromised or attacked in
> > any way, we encourage you to let us know by completing the secure National IT
> > Incident Reporting Form at:
> >
> >         http://www.auscert.org.au/render.html?it=3192
> >
> > Internet Email: auscert(at)auscert(dot)org(dot)au
> > Facsimile:      (07) 3365 7031
> > Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
> >                 AusCERT personnel answer during Queensland business
> >                 hours which are GMT+10:00 (AEST).  On call after hours
> >                 for member emergencies only.
> > -----BEGIN PGP SIGNATURE-----
> > Comment: http://www.auscert.org.au/render.html?it=1967
> >
> > iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8
> > P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx
> > q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw
> > 1iSJeKfo/Mg=
> > =pn8Y
> > -----END PGP SIGNATURE-----
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>

Marc G. Fournier                   ICQ#7615664               IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy(at)hub(dot)org           secondary: scrappy(at){freebsd|postgresql}.org

In response to

Responses

pgsql-advocacy by date

Next:From: Justin CliftDate: 2003-08-14 06:09:32
Subject: Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21
Previous:From: The Hermit HackerDate: 2003-08-14 05:49:46
Subject: Re: Ammunition

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group