[GUFSC] [nina@cais.rnp.br: [GTS-L] CAIS-Alerta: Comprometimento de FTP.GNU.ORG (fwd)]

Rafael R Obelheiro rro em das.ufsc.br
Quarta Agosto 13 17:32:21 GMT+3 2003 

----- Forwarded message from "Liliana E. Velasquez Alegre Solha" <nina em cais.rnp.br> -----

Date: Wed, 13 Aug 2003 16:52:58 -0300 (BRT)
From: "Liliana E. Velasquez Alegre Solha" <nina em cais.rnp.br>
Subject: [GTS-L] CAIS-Alerta: Comprometimento de FTP.GNU.ORG (fwd)
To: gts-l em listas.unesp.br


---------- Forwarded message ----------
Date: Wed, 13 Aug 2003 16:36:52 -0300 (BRT)
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Subject: CAIS-Alerta: Comprometimento de FTP.GNU.ORG


Prezados,

O CAIS esta' repassando um comunicado da The Free Software Foundation,
tratando de comprometimento do site ftp.gnu.org, provavelmente em Marco de
2003.

A lista de pacotes possivelmente comprometidos esta' em:

	http://ftp.gnu.org/MISSING-FILES

Maiores informações podem ser obtidas no referido comunicado, disponivel
em:

	http://ftp.gnu.org/MISSING-FILES.README

E´ recomendado aos administradores que baixaram pacotes do site
comprometido entre Marco e Agosto de 2003, que verifiquem a autenticidade
dos mesmos atraves das assinaturas MD5 ja' validadas pelos
mantenedores do site e disponiveis em:

	http://ftp.gnu.org/before-2003-08-01.md5sums.asc

O CAIS recomenda aos administradores que sempre verifiquem a integridade
de pacotes antes de proceder com uma atualização ou instalação.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

---------------------------------------------------------------------------

To the Free Software Community:


                                 Summary

   * gnuftp, the FTP server for the GNU project was root compromised.

   * After substantial investigation, we don't believe that any GNU
     source has been compromised.

   * To be extra-careful, we are verifying known, trusted secure
     checksums of all files before putting them back on the FTP site.


                 Events Concerning Cracking of Gnuftp

A root compromise and a Trojan horse were discovered on gnuftp.gnu.org,
the FTP server of the GNU project.  The machine appears to have been
cracked in March 2003, but we only very recently discovered the crack.
The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines.  It appears that the machine was cracked using a
ptrace exploit by a local user immediately after the exploit was posted on
bugtraq.

(For the ptrace bug, a root-shell exploit was available on 17 March 2003,
 and a working fix was not available on linux-kernel until the following
 week.  Evidence found on the machine indicates that gnuftp was cracked
 during that week.)


Given the nature of the compromise and the length of time the machine was
compromised, we have spent the last few weeks verifying the integrity of
the GNU source code stored on gnuftp.  Most of this work is done, and the
remaining work is primarily for files that were uploaded since early 2003,
as our backups from that period could also theoretically be compromised.


                       Historical Integrity Checks

We have compared the md5sum of each source code file (such as .tar.gz,
.tar.bz2, diff's, etc.) on ftp.gnu.org with a known good data.  The file,
ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc, contains a list of files
in the format:

MD5SUM FILE [REASON, ... REASON]

The REASONs are a list of reasons why we believe that md5sum is good for
that file.  The file as a whole is GPG-signed.



                             Remaining Files

The files that have not been checked are listed in the root directory as
"MISSING-FILES".  We are in the process of asking GNU maintainers for
trusted secure checksums of those files before we put them in place.

We have lots of evidence now to believe that no source has been
compromised -- including the MO of the cracker, the fact that every file
we've checked so far isn't compromised, and that searches for standard
source trojans turned up nothing.

However, we don't want to put files up until we've had a known good source
confirm that the checksums are correct.


                              Alpha FTP Site

The Alpha FTP site at ftp://alpha.gnu.org/ has been a lower priority for
us, but we plan to follow the same procedure there.


                              Moving Forward

All releases after the 2003-08-01 date will have checksums GPG-signed by
the GNU maintainer who prepared the release, and unfortunately we'll be
discontinuing local shell access to the FTP server for GNU maintainers.


-- 
Bradley M. Kuhn, Executive Director
Free Software Foundation     |  Phone: +1-617-542-5942
59 Temple Place, Suite 330   |  Fax:   +1-617-542-2652
Boston, MA 02111-1307  USA   |  Web:   http://www.gnu.org
------------ Output from pgp ------------
Pretty Good Privacy(tm) Version 6.5.8
(c) 1999 Network Associates Inc.
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Export of this software may be restricted by the U.S. government.
File is signed.  Good signature from user "Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>".
Signature made 2003/08/13 19:37 GMT

_______________________________________________
GTS-L mailing list GTS-L em listas.unesp.br
https://listas.unesp.br/mailman/listinfo/gts-l

----- End forwarded message -----

Mais detalhes sobre a lista de discussão GUFSC