July 14, 2006 10:41 AM PDT

Debian locks out developers after server hack

Related Stories

Debian trademark policy under question

September 22, 2005

Debian wins Munich Linux deal

April 28, 2005
The Debian GNU/Linux project has locked a number of its developers out of their system accounts, following the hack of a key internal server.

A compromised developer account was used to take control of the server, according to an e-mail sent Thursday to the community by Debian developer Martin Schulze. List members were told of the intrusion in an announcement the day before.

"At least one developer account has been compromised a while ago and has been used by an attacker to gain access to the Debian server," Schulze wrote.

The developer said the attacker then used a recently discovered vulnerability in the Linux kernel to gain root--or admin--access on the server.

"An investigation of developer passwords revealed a number of weak passwords whose accounts have been locked in response," Schulze wrote.

Debian is a noncommercial version of Linux, though some companies, such as Canonical and Progeny, have based products on it.

While the compromised server, known as "gluck," has had its software reinstalled and is now back online with all services intact, other parts of Debian's infrastructure remain closed off from casual access.

"Other Debian servers have been locked down for further investigation (into) whether they were compromised as well," wrote Schulze. "They will be upgraded to a corrected kernel before they will be unlocked."

Flaw in the kernel
Schulze said the particular Linux vulnerability only exists in kernel versions:

2.6.13 up to versions before 2.6.17.4
2.6.16 up to versions before 2.6.16.24

Schulze advised administrators to upgrade their software if they were using these versions but said the current stable version of Debian was not affected, as it runs kernel 2.6.8.

Wider damage to Debian's infrastructure may have been avoided. "Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," Schulze wrote.

"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."

The security breach is not the first for the Debian project. In November 2003, several of Debian's servers were similarly compromised and pulled offline.

Renai LeMay of ZDNet Australia reported from Sydney.

See more CNET content tagged:
Debian, kernel, attacker, developer, Linux

24 comments

Join the conversation!
Add your comment
The silence is deafening
If an old WinNT4 server in the back room of some collage computer center is hacked, these forms are full of people pointing out how insecure Windows is and that no one should use it.

Where is everyone? Are the double standards to be that obvious?
Posted by catch23 (436 comments )
Reply Link Flag
Agreed!
There are so many different version of Linux with no standardized patching/updating system service, there are literally millions of exploitable *nix servers on the net. At least you get steady security updates from Microsoft. God forbid you had to pay 99 bucks for that luxury.
Posted by dahkness (26 comments )
Link Flag
Admittedly true.
I use Linux - but I'm not going to sit here and say Windows is crud, or 'nix is perfect.

Computer programs are written by humans, and humans make mistakes. The more lines of code, the higher the probability of bugs. Add to that the piecing together of parts of a program by different members of a team - whether around the world over the Net, or behind closed doors in a corporation - and the trouble grows further.

Throw on top of this application software (server or otherwise), and your problems go through the roof. In Windows, one would not know the internal workings of these things.. but in practice (NOT arguing theory here!), there's a good chance that someone who writes a program for 'nix wouldn't look closely at other source code, either.

The bugs crawl among us. Live with it. Keep up to date.
Posted by unigamer69 (75 comments )
Link Flag
Bad example
Actually, nobody would be surprised about a Windows box like
the one you described being hacked. It would be completely
unnewsworthy. Debian's servers being hacked, however, is
newsworthy.

Of course, all operating systems have flaws. News coverage of
these flaws is appropriate. The problem is placing these stories
in context. It seems clear, however, that there are some
Windows fans who want to jump on every story of holes in Linux
or the Mac OS as justification that other systems are no more
secure than Windows.

Meanwhile, Microsoft is busy working on User Account
Protection in Vista and telling us what a big security
improvement it will bring. User of *nix-based systems know all
about this, and benefit from it, already.
Posted by Thrudheim (306 comments )
Link Flag
Silence, what silence?
"There can be no learning without the associated emotional experience" Obviously you have not had the emotional experience so you have not learned.

I have had several emotional experiences with Windows all of the bad kind. You know the "blue screens" the "failure to boot", all of that wonderful drive you crazy stuff. I have had several infestations of the various famous virus and worm varieties, and that was even when I has Norton installed. I have had very few problems since I installed NOD and Zone Alarm, and turn off the computer when not in use.

BUT I have a PC with SUSE Linux installed that I never turn off, and is always connected to the internet, has no AV or Firewall software of any kind, and it NEVER has had any problems. NO irritation, NO need to vent, = SILENCE.
Posted by bigpicture1 (1 comment )
Link Flag
Gee, I thought Linux was all-secure?
Come on, where are all the Windows bashers at? Could it be that Linux has its flaws as well? Surely not!
Posted by rstinnett (41 comments )
Reply Link Flag
See the Clarification ...
Later in the forum...
Posted by Johnny Mnemonic (374 comments )
Link Flag
A hole in linux!!!
that too at kernel level, how on earth could that happen !!! isn't this OS low on features and usability high in Security or is that a myth?
Posted by FutureGuy (742 comments )
Reply Link Flag
Except
They are exploitable at a local level vs global.
Posted by Johnny Mnemonic (374 comments )
Link Flag
Passwords are OS's Weakest Link
Yeah, a hole in the form of a valid logon because of a weak password.

No OS is invulnerable to the local user.
Posted by justwally (32 comments )
Link Flag
Not quite the same...
Being that Linux is just a kernel, and most of those "versions" are distributions, and most of those distributions have standard ways of updating and patching... your argument isn't quite up to par. Why is there less outcry? Because it happens a lot less.
Posted by Stupendoussteve (28 comments )
Reply Link Flag
No, it is talked about a lot less
Not exactly the same thing.
When MS released 18 patches, it was a "mega patch". Over 30 for Apple? They 'updated'.
Same here. Why do they call it a root kit, not an admin kit? Guess who just got hosed. No, actually, we will keep that hushed up.
A Windows laptop with sensitive information goes missing, and its MS's fault. Same thing would have happened if it was Linux, but why allow facts to get in the way of some good FUD.
Its the double standard I mind. All OS's have problems, and most are the folks in charge of them. I'm simply asking for even treatment.
Posted by catch23 (436 comments )
Link Flag
Some clarification
When we get security alerts for Linux it is a
completely different animal. I understand that this
is a consumer-based forum that is not as techincally
sophisticated as apposed to the kernel mailing
lists, but, I will try to explain the differences.

There are two primary levels of exploits. External
and local exploits. Local exploits are when an idiot
makes an easily guess-able login name and password
or an application can elevate it's priviledges
from a local account. Global or external exploits
are the majority of Windows flaws. These are the
kind that allow an external user access to the
system with "root level priviledges" or
"administation level priviledges" in the Windows
world.

There is an extremely important differnce. Most
if not all Linux and Unix exploits are at the
local level. We still consider this important
since Unix has always been a mulit-user operating
system and there may be a malixious local user.
This in essence brings us to the major difference
between Unix and Windows. Windows started it's life
as a single user MS only isolated system. When
MS was dragged into the modern Unix world of
highly inter-networked computers they had to
quickly retrofit their systems with a tcp/ip stack.
This stack (BSD) worked, but, all the other
priviledges (file, user, etc.) where missing.
Hence all exploits were immediatelty global or
local which could easily be elevated to global.

Ehat this all means is, Linux exploits are not
nearly as critical unless you have local malicious
users on your system. A potential problem that
might be exploited by a local user group versus
a global problem that could be exploited by the
world. Apples and Oranges.

I hope this was a helpful summary.
Posted by Johnny Mnemonic (374 comments )
Reply Link Flag
Also...
It should be known that Debian has not included the
more advanced security mechanisms built into the
latest commercial distrivutions like RedHat or Suse.
Rehat includes the SELINUX kernel module that
essentially prevents priviledge escallation for
applications. Essentially the process that allowed
a local user to escalate priveledges in Debian
would be prevented in other major Linux distributions.
Debian has a reputation a being much slower in
accepting new code.
Posted by Johnny Mnemonic (374 comments )
Link Flag
If anyone is interested...
You can get all the Linux and Open Source news
and alerts at:

<a class="jive-link-external" href="http://lwn.net" target="_newWindow">http://lwn.net</a>

It's not the Linux kernel mailing list, but, it is
more approachable and you can use more critical
thinking to filter out the non-sense. Many kernel
folks actually subscribe to it and may answer your
questions. I recommend it to the CNET editors as
well. It will help you to filter out the sensational
reports of Linux flaws. Please refer to this site
before you write any more of these stories.
Thank you.
Posted by Johnny Mnemonic (374 comments )
Reply Link Flag
I wonder why...
... Linux lovers are so protective about Linux flaws as if requiring everyone to seek more accurate information. On the otherhand, a news about Windows flaws is enough for these Linux lovers to react in even the most unintelligent manner possible as if there is no need to seek a more accurate information. Geeezzz...
Posted by Mendz (519 comments )
Link Flag
And Thank you
Very much for the link!
Posted by NoMoreMS (10 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.