Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Aug 31st, 2011  |  syntax: None  |  size: 3.12 KB  |  views: 27,621  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. ---------- Forwarded message ----------
  2. From: J.H. <warthog9@kernel.org>
  3. Date: 2011/8/29
  4. Subject: [kernel.org users] [KORG] Master back-end break-in
  5. To: users@kernel.org
  6.  
  7.  
  8. -----BEGIN PGP SIGNED MESSAGE-----
  9. Hash: SHA1
  10.  
  11. Afternoon Everyone,
  12.  
  13. As you can guess from the subject line, I've not had what many would
  14. consider a "good" day.  Earlier today discovered a trojan existing on
  15. HPA's personal colo machine, as well as hera.  Upon some investigation
  16. there are a couple of kernel.org boxes, specifically hera and odin1,
  17. with potential pre-cursors on demeter2, zeus1 and zeus2, that have been
  18. hit by this.
  19.  
  20. As it stands right now, HPA is working on cleaning his box, and
  21. I'm working on hera (odin1 and zeus1 are out of rotation still for other
  22. reasons), mainly so that if one of us finds something of interest, we
  23. can deal with it and compare notes on the other box.
  24.  
  25. Points of interest:
  26.  
  27. - - Break-in seems to have initially occurred no later than August 12th
  28.  
  29. - - Files belonging to ssh (openssh, openssh-server and openssh-clients)
  30. were modified and running live.  These have been uninstalled and
  31. removed, all processes were killed and known good copies were
  32. reinstalled.  That said all users may wish to consider taking this
  33. opportunity to change their passwords and update ssh keys (particularly
  34. if you had an ssh private key on hera).  This seems to have occurred on
  35. or around August 19th.
  36.  
  37. - - A trojan startup file was added to rc3.d
  38.  
  39. - - User interactions were logged, as well as some exploit code.  We have
  40. retained this for now.
  41.  
  42. - - Trojan initially discovered due to the Xnest /dev/mem error message
  43. w/o Xnest installed; have been seen on other systems.  It is unclear if
  44. systems that exhibit this message are susceptible, compromised or not.
  45. If you see this, and you don't have Xnest installed, please investigate.
  46.  
  47. - - It *appears* that 3.1-rc2 might have blocked the exploit injector, we
  48. don't know if this is intentional or a side affect of another bugfix or
  49. change.
  50.  
  51. - - System is being verified from backups, signatures, etc.  As of right
  52. now things look correct, however we may take the system down soon to do
  53. a full reinstall and for more invasive checking.
  54.  
  55. - - As a precaution a number of packages have been removed from the
  56. system, if something was removed that you were using please let us know
  57. so we can put it back.
  58.  
  59. - - At this time we do not know the vector that was used to get into the
  60. systems, but the attackers had gained root access level privileges.
  61.  
  62. That's what we know right now, some of the recent instabilities may have
  63. been caused by these intrusions, and we are looking into everything.
  64.  
  65. If you are on the box, keep an eye out, and if you see something please
  66. let us know immediately.
  67.  
  68. Beyond that, verify your git trees and make sure things are correct.
  69.  
  70. - - John 'Warthog9' Hawley
  71. Chief Kernel.org Administrator
  72. -----BEGIN PGP SIGNATURE-----
  73. Version: GnuPG v1.4.11 (GNU/Linux)
  74. Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
  75.  
  76. iEYEARECAAYFAk5a5U0ACgkQ/E3kyWU9dif+1ACfYPlgq/keFrFO77AmQVduKGwx
  77. TAcAnRAu6nHt74+5aC+fPeb8aT0hcy2K
  78. =Semd
  79. -----END PGP SIGNATURE-----