August 14, 2003 7:01 AM PDT
Server breach raises Linux code worries
The project urged those who have downloaded software from the server since March to check that the source code has not been tampered with.
Linux, an open-source operating system that dominates the Web server market, uses the compiler, libraries and other software that was originally developed by the GNU Project. The project warned that the attacker may have inserted malicious code into its software, although it said all the code checked so far appeared to be intact.
In an alert issued Wednesday, computer security response organization CERT Coordination Center warned that the breach could prove to be a serious problem. "Because this system serves as a centralized archive of popular software, the insertion of malicious code into the distributed software is a serious threat," the warning stated.
The Free Software Foundation, the GNU Project's overseer, has issued lists of "hashes"--numbers generated by the source code of software known not to have been compromised--that can be used to verify downloaded code. The lists can be found here and here.
The attacker compromised the project's servers to the root level, gaining complete control over the system, according to the GNU Project. The attack was carried out using an exploit that was revealed on March 17, and for which a patch only became available a week later. During that week, the intruder compromised the system and installed a piece of malicious code known as a Trojan horse, according to evidence found on the machine.
The Trojan horse stayed in place until it was discovered in the last week of July, the project said. "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines," the project said in a statement on its Web site.
The group said it has spent the weeks since the compromise was discovered verifying the integrity of its software. "Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised," the statement said.
The project said it believes no source code was compromised. "The evidence includes the MO of the cracker, the fact that every file we've checked so far isn't compromised, and that searches for standard source Trojans turned up nothing," the group stated.
Matthew Broersma of ZDNet UK reported from London.