Skip to comments.
More Details on the Recent Compromise of debian.org Machines (unknown Linux root exploit?)
debian-devel-announce@lists.debian.org ^
| 11/28/03
| James Troup
Posted on 11/27/2003 10:21:30 PM PST by general_re
Hi,
*NB* bear in mind that:
a) the information on the break-in in comes from compromised machines and thus has to be taken with appropriate skepticism.
b) the investigation is still ongoing - as I was writing this draft further information came to light which may invalidate a lot of it. [Or not - as it turns out].
Detection
---------
On November 20 it was noticed that master was kernel oops-ing lots. While investigating this it was discovered that murphy was showing the exact same oops, which was an overly suspicious coincidence. Also klecker, murphy and gluck have aide installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and ctime timestamps for /usr/lib/locale/en_US had changed.
Investigation revealed the cause for both these things to be the suckit root kit (see the "Suckit" appendix for more info).
What happened?
--------------
On Wednesday 19th November (2003), at approximately 5pm GMT, a sniffed password was used to access an (unprivileged) account on klecker.debian.org. Somehow they got root on klecker and installed suckit. The same account was then used to log into master and gain root (and install suckit) there too. They then tried to get to murphy with the same account. This failed because murphy is a restricted box that only a small subset of developers can log into. They then used their root access on master to access to an administrative account used for backup purposes and used that to gain access to Murphy. They got root on murphy and installed Suckit there too. The next day they used a password sniffed on master to login into gluck, got root there and installed suckit.
See the "Time-line" appendix for more details on times.
(Excerpt) Read more at lists.debian.org ...
TOPICS: Miscellaneous
KEYWORDS: debian; linux; lowqualitycrap; root
Well, well. Looks like I'm the root exploit poster lately ;)
Alrighty, before the finger-pointing, handwaving, gloating, et cetera begins, let's be clear that it's not known that there's a new root exploit floating around out there - it may very well turn out to be something much more mundane. Nevertheless, "Somehow they got root on klecker" is a rather provocative statement that leaves a good deal open to the imagination...
To: rdb3
Fer yer list...
2
posted on
11/27/2003 11:11:24 PM PST
by
general_re
(Take away the elements in order of apparent non-importance.)
To: general_re
bump
3
posted on
11/28/2003 7:04:47 AM PST
by
general_re
(Take away the elements in order of apparent non-importance.)
To: John Robinson; B Knotts; stainlessbanner; TechJunkYard; ShadowAce; Knitebane; AppyPappy; jae471; ...
The Penguin Ping.
4
posted on
11/28/2003 7:13:14 AM PST
by
rdb3
(The Left does indeed have principles. You won't agree with them because they're evil.)
To: general_re
Somehow they got root on klecker Ack.
5
posted on
11/28/2003 7:15:01 AM PST
by
Eala
(Sacrificing tagline fame for... TRAD ANGLICAN RESOURCE PAGE: http://eala.freeservers.com/anglican)
To: general_re
The problem started as a result of Kernel Murphy sucking on Kleckers root?
6
posted on
11/28/2003 7:20:19 AM PST
by
lewislynn
To: eabinga
ping
7
posted on
11/28/2003 7:20:41 AM PST
by
agitator
(Ok, mic check...line one...)
To: lewislynn
Something like that ;)
8
posted on
11/28/2003 7:28:13 AM PST
by
general_re
(Take away the elements in order of apparent non-importance.)
To: general_re; rdb3
what threat does Suckit pose?
9
posted on
11/28/2003 7:29:26 AM PST
by
Jalapeno
To: Jalapeno
It's not a threat in and of itself. It's a rootkit that requires some other exploit to be used to gain access to the system first; then it can be installed. A rootkit allows unauthorized access to the system by pretending to be authentic system binaries, while actually providing root access to unauthorized people.
10
posted on
11/28/2003 7:51:46 AM PST
by
B Knotts
(Go 'Nucks!)
To: B Knotts
So its simply an installed back door. Yeech.
11
posted on
11/28/2003 8:03:11 AM PST
by
Jalapeno
To: B Knotts; Jalapeno
Exactly. As this mail says, "Suckit is a rootkit which installs a sniffer, a process hider, a file hider and a backdoor login in a running kernel." If you keep the blackhats out in the first place, it's not a threat on its own, but if they have access, then suckit modifies the system to make future harm much easier. The interesting thing with suckit is that, unlike most rootkits, it's capable of modifying the kernel on-the-fly even on systems without LKM. And it can apparently bypass most firewall configurations once it's installed.
12
posted on
11/28/2003 8:20:44 AM PST
by
general_re
(Take away the elements in order of apparent non-importance.)
To: general_re
"On Wednesday 19th November (2003), at approximately 5pm GMT, a sniffed password was used to access an (unprivileged) account on klecker.debian.org. Somehow they got root on klecker and installed suckit."
Somehow they got root on klecker ... I'm not on a Debian list so maybe this has been brought up, but has anyone mentioned social engineering? That's the simplest and oldest trick in the book. I mean, most of this is just sniffing and other account access through root. Once root on klecker was had, the rest was relatively simple stuff. But I'd also imagine that nobody with root access to klecker would be stupid enough to give that information to anyone, even someone who would appear to be an established account there, especially as it was unprivileged.
To: krinklyfig
I don't think that's been mentioned yet. It does seem unlikely, though - I presume that details about root accounts are closely held secrets, and not easily given out. Based on what little information there is thus far, it appears that there's some sort of privilege-escalation hole somewhere in there, that someone was able to remotely exploit. Somebody out there has a nasty trick up their sleeve, and the scary part is, if suckit hadn't started falling down on the job, it'd still be invisible.
14
posted on
11/29/2003 7:19:36 AM PST
by
general_re
(If God didn't want us to eat animals, he wouldn't have made them out of meat.)
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson