GNU Servers Hacked, Linux Software May Be Compromised

Internet Week ^ | Aug. 14, 2003 | Techweb News

[Spruce]

GNU Servers Hacked, Linux Software May Be Compromised

By

Techweb News

In mid-March, someone hacked the primary file servers hosted by the GNU Project, the group which supports the development of many of the components in the Linux operating system, the group acknowledged Wednesday. It warned that the attacker may have inserted malicious code into the free software available for download, including Linux, and posted a set of hashes that users can check against to determine if what they retrieved is clean.

The CERT Coordination Center noted in an advisory posted Wednesday that "because this system serves as a centralized archive of popular software, the insertion of malicious code into the distributed software is a serious threat." At the same time, it reported that there isn't any evidence that the source code posted on the FTP servers was, in fact, compromised.

The Free Software Foundation (FSF), which oversees the GNU Project, has posted a series of checksums, validation numbers generated by the source code known not to have been compromised, which users can use to verify what they've downloaded.

The attack took place in March, but was only discovered in late July. It used an exploit that was revealed on March 17, for which a patch wasn't immediately available. It was during a week's span of vulnerability that the servers were compromised, the FSF said in a statement.

A trojan horse was placed on the system at that time, possibly for password collection and to use the machine for additional attacks, according to the FSF.

[dandelion]

SCO did it!!

[TheMightyQuinn]

I'm sorry but that's impossible. Only microsoft software can be hacked.

Sarcasm Off

[unixfox]

This can't be true, Linus Torvalds (the most arrogant S.O.B. I have ever heard speak) has told us time and time again that Linux is "Rock Solid".

Aint nuthin perfect, and aint nuthin that can't be hacked !!

[AmericaUnited]

This was a Microsoft black op to spead more FUD around the open source movement.

[mikegi]

I told y'all that Windows sucks. Billy Bob cares nothing about us poor users. He just wants our money. He doesn't care about security. Linux RULEZ! Uh, wait a minute...

[Servant of the Nine]

This can't be true, Linus Torvalds (the most arrogant S.O.B. I have ever heard speak) has told us time and time again that Linux is "Rock Solid".

What operating system are the FSF servers running?
It could be BSD, or even Windoze!
Just because the Linux source code is stored there doesn't mean thte servers are running it.

Aint nuthin perfect, and aint nuthin that can't be hacked !!

That is for sure true.

So9

[old-ager]

"It could be BSD, or even Windoze!"

Ever heard the expression "grasping at straws" ?

[tubavil]

Winblows still blows huge chonkey schlong.

How many total root compromises since w2k RTM? 40? 50?

Oh, you used winblowsupdate and SP4 trashed your system?

Tough luck. Read your EULA.

[Michael Barnes]

Never heard him speak, he's that arrogant?

[dr_who_2]

cvs diff is your friend.

[KayEyeDoubleDee]

cvs diff is your friend.

You want to look through every file that has diffs and try to figure out whether they change includes malicious code? Good luck!!!

[dr_who_2]

Gotta start somewhere. Or I guess they could go back to the version before the break in and add in all the good patches again.

[KayEyeDoubleDee]

This begs that question of whether the GNU CVS repository could have been compromised in such a way that the diffs could be hidden. I guess that since CVS actually keeps changes to, rather than complete copies of each version, this might be hard to do.

[KayEyeDoubleDee]

Or I guess they could go back to the version before the break in and add in all the good patches again.

But no one knows if the patches are good, right?

[KayEyeDoubleDee]

Sorry. I see what you mean about re-adding the patches.

[<1/1,000,000th%]

It's Skynet!

[Golden Eagle]

The attack took place in March, but was only discovered in late July.

What a colossal failure of security. This was the primary distribution point on the web for Linux utilities, and they will have a very hard time proving that trojans weren't imbedded into the source code repositories at some point over the last six months, even if they no longer exist.

[dr_who_2]

Anyone who can read the code can look for suspicious commits. Preferably the people who maintain that program. No one person maintains all the programs, so this isn't as big a task as you think it is. Nothing wrong with taking a break from adding more features for a security audit. Certainly the other sites that have similar versions of the same source code should have identical source code.

[dr_who_2]

What a colossal failure of security.

No denying that.