Skip site navigation (1) Skip section navigation (2)

Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21

From: Darcy Buskermolen <darcy(at)wavefire(dot)com>
To: Justin Clift <justin(at)postgresql(dot)org>,The Hermit Hacker <scrappy(at)postgresql(dot)org>
Cc: pgsql-www(at)postgresql(dot)org,PostgreSQL Advocacy and Marketing Mailing List <pgsql-advocacy(at)postgresql(dot)org>
Subject: Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21
Date: 2003-08-14 15:33:37
Message-ID: 200308140833.37775.darcy@wavefire.com (view raw or flat)
Thread:
Lists: pgsql-advocacy
I have been running ProFTPD (www.proftpd.net) on all my servers for over 5 
years now, including ftp3.ca.  ProFTPD has apache like configuration as well 
as modular expandability, can be configured to run as a stand alone daemon, 
or through inetd and runs as an unprivlidged user.


On Wednesday 13 August 2003 23:09, Justin Clift wrote:
> Ouch.
>
> Wu-FTPd has probably the worst track record on the planet for FTP
> vulnerabilities.
>
> :(
>
> There are quite a few others out there.  From memory, Red Hat 9 has changed
> to one called "VSFTPd" by default.
>
> Personally, in regards to knowing which FTP server is the best, I'm better
> to leave it to others to figure that one out.
>
> :)
>
> Regards and best wishes,
>
> Justin Clift
>
> The Hermit Hacker wrote:
> > any idea what version of ftp they are/were running?  I may be blind, but
> > I dont' see it in the announce, and its not showing up when you ftp into
> > them :(  We're running a fairly recent wu-ftpd, but just want to make
> > sure:
> >
> > 	Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003
> >
> > On Thu, 14 Aug 2003, Justin Clift wrote:
> >>Hi guys,
> >>
> >>Not sure if people have or haven't seen this already.
> >>
> >>The GNU Project's FTP servers were root compromised some time ago, and it
> >> was only discovered recently.
> >>
> >>:-(
> >>
> >>Regards and best wishes,
> >>
> >>Justin Clift
> >>
> >>>-----Original Message-----
> >>>From:	auscert(at)auscert(dot)org(dot)au
> >>>Sent:	Thursday, 14 August 2003 1:59 pm
> >>>To:	auscert-subscriber(at)auscert(dot)org(dot)au
> >>>Subject:	(AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project
> >>> FTP Server Compromise
> >>>
> >>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>
> >>>========================================================================
> >>>=== AUSCERT External Security Bulletin Redistribution
> >>>
> >>>                 ESB-2003.0563 -- CERT Advisory CA-2003-21
> >>>                     GNU Project FTP Server Compromise
> >>>                              14 August 2003
> >>>
> >>>========================================================================
> >>>===
> >>>
> >>>        AusCERT Security Bulletin Summary
> >>>        ---------------------------------
> >>>
> >>>Product:                GNU Software
> >>>Publisher:              CERT/CC
> >>>Impact:                 Root Compromise
> >>>                        Execute Arbitrary Code/Commands
> >>>Access Required:        Remote
> >>>
> >>>- --------------------------BEGIN INCLUDED TEXT--------------------
> >>>
> >>>- -----BEGIN PGP SIGNED MESSAGE-----
> >>>
> >>>CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
> >>>
> >>>   Original issue date: August 13, 2003
> >>>   Last revised: --
> >>>   Source: CERT/CC
> >>>
> >>>   A complete revision history is at the end of this file.
> >>>
> >>>Overview
> >>>
> >>>   The  CERT/CC has received a report that the system housing the
> >>> primary FTP servers for the GNU software project was compromised.
> >>>
> >>>I. Description
> >>>
> >>>   The GNU Project, principally sponsored by the Free Software
> >>> Foundation (FSF),  produces  a  variety of freely available software.
> >>> The CERT/CC has  learned  that  the system housing the primary FTP
> >>> servers for the GNU  software  project,  gnuftp.gnu.org,  was  root 
> >>> compromised by an intruder.  The more common host names of ftp.gnu.org
> >>> and alpha.gnu.org are  aliases  for  the  same  compromised  system. 
> >>> The  compromise is reported to have occurred in March of 2003.
> >>>
> >>>   The FSF has released an announcement describing the incident.
> >>>
> >>>   Because  this  system  serves  as  a  centralized  archive  of
> >>> popular software,  the  insertion  of  malicious  code  into  the 
> >>> distributed software  is  a  serious  threat. As the above announcement
> >>> indicates, however,  no  source  code  distributions  are  believed  to
> >>> have been> maliciously modified at this time.
> >>>
> >>>II. Impact
> >>>
> >>>   The  potential  exists  for  an  intruder to have inserted back
> >>> doors, Trojan   horses,   or  other  malicious  code  into  the  source
> >>>  code distributions of software housed on the compromised system.
> >>>
> >>>III. Solution
> >>>
> >>>   We   encourage   sites  using  the  GNU  software  obtained  from 
> >>> the compromised system to verify the integrity of their distribution.
> >>>
> >>>   Sites  that  mirror  the  source  code  are  encouraged  to verify
> >>> the integrity of their sources. We also encourage users to inspect any
> >>> and all  other software that may have been downloaded from the
> >>> compromised site.  Note that it is not always sufficient to rely on the
> >>> timestamps or  file  sizes  when trying to determine whether or not a
> >>> copy of the file has been modified.
> >>>
> >>>Verifying checksums
> >>>
> >>>   The  FSF has produced PGP-signed lists of known-good MD5 hashes of
> >>> the software packages housed on the compromised server. These lists can
> >>> be found at
> >>>
> >>>          ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> >>>          ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >>>
> >>>   Note that both of these files and the announcement above are signed
> >>> by Bradley  Kuhn,  Executive  Director of the FSF, with the following
> >>> PGP key:
> >>>
> >>>pub  1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn(at)fsf(dot)org>
> >>>     Key fingerprint = 4F40 645E 46BE 0131 48F9  92F6 E775 E324 DB41
> >>> B387 uid                            Bradley M. Kuhn (bkuhn99)
> >>> <bkuhn(at)ebb(dot)org> uid                            Bradley M. Kuhn
> >>> <bkuhn(at)gnu(dot)org>
> >>>sub  2048g/75CA9CB3 1999-12-09
> >>>
> >>>   The CERT/CC believes this key to be valid.
> >>>
> >>>   As a matter of good security practice, the CERT/CC encourages users
> >>> to verify,  whenever  possible, the integrity of downloaded software.
> >>> For more information, see IN-2001-06.
> >>>
> >>>Appendix A. - Vendor Information
> >>>
> >>>   This  appendix  contains  information  provided  by  vendors  for
> >>> this advisory.  As  vendors  report new information to the CERT/CC, we
> >>> will update this section and note the changes in our revision history.
> >>> If a particular  vendor  is  not  listed  below, we have not received
> >>> their comments.
> >>>
> >>>Free Software Foundation
> >>>
> >>>
> >>>   The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02
> >>> have all been verified, and their md5sums and the reasons we believe
> >>> the md5sums can be trusted are in:
> >>>
> >>>       ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> >>>       ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >>>
> >>>   We are updating that file and the site as we confirm good md5sums of
> >>>   additional files.  It is theoretically possible that downloads
> >>> between March 2003 and July 2003 might have been source-compromised, so
> >>> we encourage everyone to re-download sources and compare with the
> >>> current copies for files on the site.
> >>>
> >>>Appendix B. References
> >>>
> >>>     * FSF      announcement      regarding      the      incident     
> >>> - ftp://ftp.gnu.org/MISSING-FILES.README
> >>>     * CERT Incident Note IN-2001-06 -
> >>>       http://www.cert.org/incident_notes/IN-2001-06.html
> >>>     _________________________________________________________________
> >>>
> >>>   The  CERT/CC  thanks Bradley Kuhn and Brett Smith of the Free
> >>> Software Foundation for their timely assistance in this matter.
> >>>     _________________________________________________________________
> >>>
> >>>   Feedback can be directed to the author: Chad Dougherty.
> >>>  
> >>> ______________________________________________________________________
> >>>
> >>>   This document is available from:
> >>>   http://www.cert.org/advisories/CA-2003-21.html
> >>>  
> >>> ______________________________________________________________________
> >>>
> >>>CERT/CC Contact Information
> >>>
> >>>   Email: cert(at)cert(dot)org
> >>>          Phone: +1 412-268-7090 (24-hour hotline)
> >>>          Fax: +1 412-268-6989>
> >>>          Postal address:
> >>>          CERT Coordination Center
> >>>          Software Engineering Institute
> >>>          Carnegie Mellon University
> >>>          Pittsburgh PA 15213-3890
> >>>          U.S.A.
> >>>
> >>>   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5) 
> >>> / EDT(GMT-4)  Monday  through  Friday;  they are on call for
> >>> emergencies during other hours, on U.S. holidays, and on weekends.
> >>>
> >>>Using encryption
> >>>
> >>>   We  strongly  urge you to encrypt sensitive information sent by
> >>> email. Our public PGP key is available from
> >>>   http://www.cert.org/CERT_PGP.key
> >>>
> >>>   If  you  prefer  to  use  DES,  please  call the CERT hotline for
> >>> more information.
> >>>
> >>>Getting security information
> >>>
> >>>   CERT  publications  and  other security information are available
> >>> from our web site
> >>>   http://www.cert.org/
> >>>
> >>>   To  subscribe  to  the CERT mailing list for advisories and
> >>> bulletins, send  email  to majordomo(at)cert(dot)org(dot) Please include in the
> >>> body of your message
> >>>
> >>>   subscribe cert-advisory
> >>>
> >>>   *  "CERT"  and  "CERT  Coordination Center" are registered in the
> >>> U.S. Patent and Trademark Office.
> >>>  
> >>> ______________________________________________________________________
> >>>
> >>>   NO WARRANTY
> >>>   Any  material furnished by Carnegie Mellon University and the
> >>> Software Engineering  Institute  is  furnished  on  an  "as is" basis.
> >>> Carnegie Mellon University makes no warranties of any kind, either
> >>> expressed or implied  as  to  any matter including, but not limited to,
> >>> warranty of fitness  for  a  particular purpose or merchantability,
> >>> exclusivity or results  obtained from use of the material. Carnegie
> >>> Mellon University does  not  make  any warranty of any kind with
> >>> respect to freedom from patent, trademark, or copyright infringement.
> >>>  
> >>> ______________________________________________________________________
> >>>
> >>>   Conditions for use, disclaimers, and sponsorship information
> >>>
> >>>   Copyright 2002 Carnegie Mellon University.
> >>>
> >>>   Revision History
> >>>August 13, 2003: Initial release
> >>>
> >>>- -----BEGIN PGP SIGNATURE-----
> >>>Version: PGP 6.5.8
> >>>
> >>>iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
> >>>QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
> >>>S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
> >>>OeyQrFbsq54=
> >>>=/72G
> >>>- -----END PGP SIGNATURE-----
> >>>
> >>>- --------------------------END INCLUDED TEXT--------------------
> >>>
> >>>You have received this e-mail bulletin as a result of your
> >>> organisation's registration with AusCERT. The mailing list you are
> >>> subscribed to is maintained within your organisation, so if you do not
> >>> wish to continue receiving these bulletins you should contact your
> >>> local IT manager. If you do not know who that is, please send an email
> >>> to auscert(at)auscert(dot)org(dot)au and we will forward your request to the
> >>> appropriate person.
> >>>
> >>>This security bulletin is provided as a service to AusCERT's members. 
> >>> As AusCERT did not write the document quoted above, AusCERT has had no
> >>> control over its content. The decision to follow or act on information
> >>> or advice contained in this security bulletin is the responsibility of
> >>> each user or organisation, and should be considered in accordance with
> >>> your organisation's site policies and procedures. AusCERT takes no
> >>> responsibility for consequences which may arise from following or
> >>> acting on information or advice contained in this security bulletin.
> >>>
> >>>NOTE: This is only the original release of the security bulletin.  It
> >>> may not be updated when updates to the original are made.  If
> >>> downloading at a later date, it is recommended that the bulletin is
> >>> retrieved directly from the author's website to ensure that the
> >>> information is still current.
> >>>
> >>>Contact information for the authors of the original document is included
> >>>in the Security Bulletin above.  If you have any questions or need
> >>> further> information, please contact them directly.
> >>>
> >>>Previous advisories and external security bulletins can be retrieved
> >>> from:
> >>>
> >>>        http://www.auscert.org.au/render.html?cid=1980
> >>>
> >>>If you believe that your computer system has been compromised or
> >>> attacked in any way, we encourage you to let us know by completing the
> >>> secure National IT Incident Reporting Form at:
> >>>
> >>>        http://www.auscert.org.au/render.html?it=3192
> >>>
> >>>Internet Email: auscert(at)auscert(dot)org(dot)au
> >>>Facsimile:      (07) 3365 7031
> >>>Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
> >>>                AusCERT personnel answer during Queensland business
> >>>                hours which are GMT+10:00 (AEST).  On call after hours
> >>>                for member emergencies only.
> >>>-----BEGIN PGP SIGNATURE-----
> >>>Comment: http://www.auscert.org.au/render.html?it=1967
> >>>
> >>>iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8
> >>>P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx
> >>>q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw
> >>>1iSJeKfo/Mg=
> >>>=pn8Y
> >>>-----END PGP SIGNATURE-----
> >>
> >>---------------------------(end of broadcast)---------------------------
> >>TIP 2: you can get off all lists at once with the unregister command
> >>    (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> >
> > Marc G. Fournier                   ICQ#7615664               IRC Nick:
> > Scrappy Systems Administrator @ hub.org
> > primary: scrappy(at)hub(dot)org           secondary:
> > scrappy(at){freebsd|postgresql}.org
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: the planner will ignore your desire to choose an index scan if your
>       joining column's datatypes do not match

-- 
Darcy Buskermolen
Wavefire Technologies Corp.
ph: 250.717.0200
fx:  250.763.1759
http://www.wavefire.com

In response to

pgsql-advocacy by date

Next:From: Josh BerkusDate: 2003-08-14 16:07:59
Subject: Need Aussie/Kiwi PostgreSQL Experts!
Previous:From: Robert TreatDate: 2003-08-14 13:28:31
Subject: Re: Ammunition

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group