Re: [pgsql-www] FW: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21

Agreed on Wu-FTP problems. BSD/OS switched to away from it long ago.
Glad Red Hat has done the same.

---------------------------------------------------------------------------

Justin Clift wrote:
> Ouch.
>
> Wu-FTPd has probably the worst track record on the planet for FTP vulnerabilities.
>
> :(
>
> There are quite a few others out there. From memory, Red Hat 9 has changed to one called "VSFTPd" by default.
>
> Personally, in regards to knowing which FTP server is the best, I'm better to leave it to others to figure that one out.
>
> :)
>
> Regards and best wishes,
>
> Justin Clift
>
>
> The Hermit Hacker wrote:
> > any idea what version of ftp they are/were running? I may be blind, but I
> > dont' see it in the announce, and its not showing up when you ftp into
> > them :( We're running a fairly recent wu-ftpd, but just want to make
> > sure:
> >
> > Version wu-2.6.2(1) Wed Jun 4 18:22:39 GMT 2003
> >
> > On Thu, 14 Aug 2003, Justin Clift wrote:
> >
> >
> >>Hi guys,
> >>
> >>Not sure if people have or haven't seen this already.
> >>
> >>The GNU Project's FTP servers were root compromised some time ago, and it was only discovered recently.
> >>
> >>:-(
> >>
> >>Regards and best wishes,
> >>
> >>Justin Clift
> >>
> >>
> >>
> >>>-----Original Message-----
> >>>From: auscert(at)auscert(dot)org(dot)au
> >>>Sent: Thursday, 14 August 2003 1:59 pm
> >>>To: auscert-subscriber(at)auscert(dot)org(dot)au
> >>>Subject: (AUSCERT ESB-2003.0563) CERT Advisory CA-2003-21 - GNU Project FTP Server Compromise
> >>>
> >>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>
> >>>===========================================================================
> >>> AUSCERT External Security Bulletin Redistribution
> >>>
> >>> ESB-2003.0563 -- CERT Advisory CA-2003-21
> >>> GNU Project FTP Server Compromise
> >>> 14 August 2003
> >>>
> >>>===========================================================================
> >>>
> >>> AusCERT Security Bulletin Summary
> >>> ---------------------------------
> >>>
> >>>Product: GNU Software
> >>>Publisher: CERT/CC
> >>>Impact: Root Compromise
> >>> Execute Arbitrary Code/Commands
> >>>Access Required: Remote
> >>>
> >>>- --------------------------BEGIN INCLUDED TEXT--------------------
> >>>
> >>>- -----BEGIN PGP SIGNED MESSAGE-----
> >>>
> >>>CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
> >>>
> >>> Original issue date: August 13, 2003
> >>> Last revised: --
> >>> Source: CERT/CC
> >>>
> >>> A complete revision history is at the end of this file.
> >>>
> >>>Overview
> >>>
> >>> The CERT/CC has received a report that the system housing the primary
> >>> FTP servers for the GNU software project was compromised.
> >>>
> >>>I. Description
> >>>
> >>> The GNU Project, principally sponsored by the Free Software Foundation
> >>> (FSF), produces a variety of freely available software. The CERT/CC
> >>> has learned that the system housing the primary FTP servers for the
> >>> GNU software project, gnuftp.gnu.org, was root compromised by an
> >>> intruder. The more common host names of ftp.gnu.org and alpha.gnu.org
> >>> are aliases for the same compromised system. The compromise is
> >>> reported to have occurred in March of 2003.
> >>>
> >>> The FSF has released an announcement describing the incident.
> >>>
> >>> Because this system serves as a centralized archive of popular
> >>> software, the insertion of malicious code into the distributed
> >>> software is a serious threat. As the above announcement indicates,
> >>> however, no source code distributions are believed to have been>
> >>> maliciously modified at this time.
> >>>
> >>>II. Impact
> >>>
> >>> The potential exists for an intruder to have inserted back doors,
> >>> Trojan horses, or other malicious code into the source code
> >>> distributions of software housed on the compromised system.
> >>>
> >>>III. Solution
> >>>
> >>> We encourage sites using the GNU software obtained from the
> >>> compromised system to verify the integrity of their distribution.
> >>>
> >>> Sites that mirror the source code are encouraged to verify the
> >>> integrity of their sources. We also encourage users to inspect any and
> >>> all other software that may have been downloaded from the compromised
> >>> site. Note that it is not always sufficient to rely on the timestamps
> >>> or file sizes when trying to determine whether or not a copy of the
> >>> file has been modified.
> >>>
> >>>Verifying checksums
> >>>
> >>> The FSF has produced PGP-signed lists of known-good MD5 hashes of the
> >>> software packages housed on the compromised server. These lists can be
> >>> found at
> >>>
> >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >>>
> >>> Note that both of these files and the announcement above are signed by
> >>> Bradley Kuhn, Executive Director of the FSF, with the following PGP
> >>> key:
> >>>
> >>>pub 1024D/DB41B387 1999-12-09 Bradley M. Kuhn <bkuhn(at)fsf(dot)org>
> >>> Key fingerprint = 4F40 645E 46BE 0131 48F9 92F6 E775 E324 DB41 B387
> >>>uid Bradley M. Kuhn (bkuhn99) <bkuhn(at)ebb(dot)org>
> >>>uid Bradley M. Kuhn <bkuhn(at)gnu(dot)org>
> >>>sub 2048g/75CA9CB3 1999-12-09
> >>>
> >>> The CERT/CC believes this key to be valid.
> >>>
> >>> As a matter of good security practice, the CERT/CC encourages users to
> >>> verify, whenever possible, the integrity of downloaded software. For
> >>> more information, see IN-2001-06.
> >>>
> >>>Appendix A. - Vendor Information
> >>>
> >>> This appendix contains information provided by vendors for this
> >>> advisory. As vendors report new information to the CERT/CC, we will
> >>> update this section and note the changes in our revision history. If a
> >>> particular vendor is not listed below, we have not received their
> >>> comments.
> >>>
> >>>Free Software Foundation
> >>>
> >>>
> >>> The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have
> >>> all been verified, and their md5sums and the reasons we believe the
> >>> md5sums can be trusted are in:
> >>>
> >>> ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
> >>> ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc
> >>>
> >>> We are updating that file and the site as we confirm good md5sums of
> >>> additional files. It is theoretically possible that downloads between
> >>> March 2003 and July 2003 might have been source-compromised, so we
> >>> encourage everyone to re-download sources and compare with the current
> >>> copies for files on the site.
> >>>
> >>>Appendix B. References
> >>>
> >>> * FSF announcement regarding the incident -
> >>> ftp://ftp.gnu.org/MISSING-FILES.README
> >>> * CERT Incident Note IN-2001-06 -
> >>> http://www.cert.org/incident_notes/IN-2001-06.html
> >>> _________________________________________________________________
> >>>
> >>> The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free Software
> >>> Foundation for their timely assistance in this matter.
> >>> _________________________________________________________________
> >>>
> >>> Feedback can be directed to the author: Chad Dougherty.
> >>> ______________________________________________________________________
> >>>
> >>> This document is available from:
> >>> http://www.cert.org/advisories/CA-2003-21.html
> >>> ______________________________________________________________________
> >>>
> >>>CERT/CC Contact Information
> >>>
> >>> Email: cert(at)cert(dot)org
> >>> Phone: +1 412-268-7090 (24-hour hotline)
> >>> Fax: +1 412-268-6989>
> >>> Postal address:
> >>> CERT Coordination Center
> >>> Software Engineering Institute
> >>> Carnegie Mellon University
> >>> Pittsburgh PA 15213-3890
> >>> U.S.A.
> >>>
> >>> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> >>> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> >>> during other hours, on U.S. holidays, and on weekends.
> >>>
> >>>Using encryption
> >>>
> >>> We strongly urge you to encrypt sensitive information sent by email.
> >>> Our public PGP key is available from
> >>> http://www.cert.org/CERT_PGP.key
> >>>
> >>> If you prefer to use DES, please call the CERT hotline for more
> >>> information.
> >>>
> >>>Getting security information
> >>>
> >>> CERT publications and other security information are available from
> >>> our web site
> >>> http://www.cert.org/
> >>>
> >>> To subscribe to the CERT mailing list for advisories and bulletins,
> >>> send email to majordomo(at)cert(dot)org(dot) Please include in the body of your
> >>> message
> >>>
> >>> subscribe cert-advisory
> >>>
> >>> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> >>> Patent and Trademark Office.
> >>> ______________________________________________________________________
> >>>
> >>> NO WARRANTY
> >>> Any material furnished by Carnegie Mellon University and the Software
> >>> Engineering Institute is furnished on an "as is" basis. Carnegie
> >>> Mellon University makes no warranties of any kind, either expressed or
> >>> implied as to any matter including, but not limited to, warranty of
> >>> fitness for a particular purpose or merchantability, exclusivity or
> >>> results obtained from use of the material. Carnegie Mellon University
> >>> does not make any warranty of any kind with respect to freedom from
> >>> patent, trademark, or copyright infringement.
> >>> ______________________________________________________________________
> >>>
> >>> Conditions for use, disclaimers, and sponsorship information
> >>>
> >>> Copyright 2002 Carnegie Mellon University.
> >>>
> >>> Revision History
> >>>August 13, 2003: Initial release
> >>>
> >>>- -----BEGIN PGP SIGNATURE-----
> >>>Version: PGP 6.5.8
> >>>
> >>>iQCVAwUBPzqwFWjtSoHZUTs5AQGN4AQAvL/u+S+FpkNWtBH/fe9DCLJQM21I/dzt
> >>>QPU0prMxTq53ntvTOAth+yFPtbcbeDaWuLHakju0mL4OSU0Fp+VsXbXnF5ypE+0r
> >>>S5mHpMxSmvPBPBNTIMQUGybEKK783P9Ty2lhXxawEW9JbdgMOY44clo2VIupgxuZ
> >>>OeyQrFbsq54=
> >>>=/72G
> >>>- -----END PGP SIGNATURE-----
> >>>
> >>>- --------------------------END INCLUDED TEXT--------------------
> >>>
> >>>You have received this e-mail bulletin as a result of your organisation's
> >>>registration with AusCERT. The mailing list you are subscribed to is
> >>>maintained within your organisation, so if you do not wish to continue
> >>>receiving these bulletins you should contact your local IT manager. If
> >>>you do not know who that is, please send an email to auscert(at)auscert(dot)org(dot)au
> >>>and we will forward your request to the appropriate person.
> >>>
> >>>This security bulletin is provided as a service to AusCERT's members. As
> >>>AusCERT did not write the document quoted above, AusCERT has had no control
> >>>over its content. The decision to follow or act on information or advice
> >>>contained in this security bulletin is the responsibility of each user or
> >>>organisation, and should be considered in accordance with your organisation's
> >>>site policies and procedures. AusCERT takes no responsibility for consequences
> >>>which may arise from following or acting on information or advice contained in
> >>>this security bulletin.
> >>>
> >>>NOTE: This is only the original release of the security bulletin. It may
> >>>not be updated when updates to the original are made. If downloading at
> >>>a later date, it is recommended that the bulletin is retrieved directly
> >>>from the author's website to ensure that the information is still current.
> >>>
> >>>Contact information for the authors of the original document is included
> >>>in the Security Bulletin above. If you have any questions or need further>
> >>>information, please contact them directly.
> >>>
> >>>Previous advisories and external security bulletins can be retrieved from:
> >>>
> >>> http://www.auscert.org.au/render.html?cid=1980
> >>>
> >>>If you believe that your computer system has been compromised or attacked in
> >>>any way, we encourage you to let us know by completing the secure National IT
> >>>Incident Reporting Form at:
> >>>
> >>> http://www.auscert.org.au/render.html?it=3192
> >>>
> >>>Internet Email: auscert(at)auscert(dot)org(dot)au
> >>>Facsimile: (07) 3365 7031
> >>>Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
> >>> AusCERT personnel answer during Queensland business
> >>> hours which are GMT+10:00 (AEST). On call after hours
> >>> for member emergencies only.
> >>>-----BEGIN PGP SIGNATURE-----
> >>>Comment: http://www.auscert.org.au/render.html?it=1967
> >>>
> >>>iQCVAwUBPzsIeCh9+71yA2DNAQG3TAP/fUzjaxOLp4sxMfEehxKQygWK3EmEMnd8
> >>>P0PK/qOrNaGdLM6TjwgxzGm0q2NLX1cJV7BnlRu74LeVLUt0bvSXC7xN7axL0jKx
> >>>q7uBCJEop5BCyzqin8vGeyc75wf2UJqp+tMLnB3T+qZa6Wd6gbbDEgO37Mct5wxw
> >>>1iSJeKfo/Mg=
> >>>=pn8Y
> >>>-----END PGP SIGNATURE-----
> >>
> >>
> >>---------------------------(end of broadcast)---------------------------
> >>TIP 2: you can get off all lists at once with the unregister command
> >> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> >>
> >
> >
> > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
> > Systems Administrator @ hub.org
> > primary: scrappy(at)hub(dot)org secondary: scrappy(at){freebsd|postgresql}.org
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faqs/FAQ.html
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073