[plug] [joey at infodrom.org: Some Debian Project machines have been compromised]

Chris Caston caston at arach.net.au
Fri Nov 21 23:07:50 WST 2003


I also seemed to have portmap running on 111 saying it was bindrpc so I
removed it.


On Fri, 2003-11-21 at 23:02, Chris Caston wrote:
> I seem to have famd running while apparently keeps track of when there
> are changes in the file system. It has worrying options in /etc/fam.conf
> like:
> 
> insecure_compatibility = false
> local_only = false
> untrusted_user = nobody
> 
> I have no idea where else this could have come from.
> 
> Perhaps I'm just getting paranoid. Any ideas?
> 
> On Fri, 2003-11-21 at 21:25, Chris Caston wrote:
> > btw what's port 982?
> > 
> > nmap run compled:
> > *Snip*
> > 982/tcp open unknown
> > *snip*
> > 
> > On Fri, 2003-11-21 at 21:19, Chris Caston wrote:
> > > No wonder it was down!
> > > !?!?
> > > So what all are boxes are owned now?
> > > 
> > > So why aren't the updates signed?
> > > 
> > > regards,
> > > 
> > > Chris
> > > 
> > > On Fri, 2003-11-21 at 20:31, Trent Lloyd wrote:
> > > > ----- Forwarded message from Martin Schulze <joey at infodrom.org> -----
> > > > 
> > > > Delivered-To: trent at ucc.gu.uwa.edu.au
> > > > Old-Return-Path: <joey at infodrom.org>
> > > > Date: Fri, 21 Nov 2003 11:46:19 +0100
> > > > From: Martin Schulze <joey at infodrom.org>
> > > > To: Debian Announcements <debian-announce at lists.debian.org>
> > > > Subject: Some Debian Project machines have been compromised
> > > > User-Agent: Mutt/1.5.4i
> > > > Resent-Message-ID: <M6ofX.A.GeE.nHfv_ at murphy>
> > > > Resent-From: debian-announce at lists.debian.org
> > > > X-Mailing-List: <debian-announce at lists.debian.org> archive/latest/81
> > > > X-Loop: debian-announce at lists.debian.org
> > > > List-Id: <debian-announce.lists.debian.org>
> > > > List-Post: <mailto:debian-announce at lists.debian.org>
> > > > List-Help: <mailto:debian-announce-request at lists.debian.org?subject=help>
> > > > List-Subscribe: <mailto:debian-announce-request at lists.debian.org?subject=subscribe>
> > > > List-Unsubscribe: <mailto:debian-announce-request at lists.debian.org?subject=unsubscribe>
> > > > List-Archive: <http://lists.debian.org/debian-announce/>
> > > > Precedence: list
> > > > Resent-Sender: debian-announce-request at lists.debian.org
> > > > Resent-Date: Fri, 21 Nov 2003 05:07:19 -0600 (CST)
> > > > X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
> > > > 	mooneye.ucc.gu.uwa.edu.au
> > > > X-Spam-Level: 
> > > > X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=no 
> > > > 	version=2.60
> > > > 
> > > > ------------------------------------------------------------------------
> > > > The Debian Project                                http://www.debian.org/
> > > > Some Debian Project machines compromised                press at debian.org
> > > > November 21st, 2003
> > > > ------------------------------------------------------------------------
> > > > 
> > > > Some Debian Project machines have been compromised
> > > > 
> > > > This is a very unfortunate incident to report about.  Some Debian
> > > > servers were found to have been compromised in the last 24 hours.
> > > > 
> > > > The archive is not affected by this compromise!
> > > > 
> > > > In particular the following machines have been affected:
> > > > 
> > > >   . master (Bug Tracking System)
> > > >   . murphy (mailing lists)
> > > >   . gluck (web, cvs)
> > > >   . klecker (security, non-us, web search, www-master)
> > > > 
> > > > Some of these services are currently not available as the machines
> > > > undergo close inspection.  Some services have been moved to other
> > > > machines (www.debian.org for example).
> > > > 
> > > > The security archive will be verified from trusted sources before it
> > > > will become available again.
> > > > 
> > > > Please note that we have recently prepared a new point release for
> > > > Debian GNU/Linux 3.0 (woody), release 3.0r2.  While it has not been
> > > > announced yet, it has been pushed to our mirrors already.  The
> > > > announcement was scheduled for this morning but had to be postponed.
> > > > This update has now been checked and it is not affected by the
> > > > compromise.
> > > > 
> > > > We apologise for the disruptions of some services over the next few
> > > > days.  We are working on restoring the services and verifying the
> > > > content of our archives.
> > > > 
> > > > 
> > > > Contact Information
> > > > -------------------
> > > > 
> > > > For further information, please visit the Debian web pages at
> > > > <http://www.debian.org/> or contact <press at debian.org>.
> > > > 
> > > 
> > > _______________________________________________
> > > plug mailing list
> > > plug at plug.linux.org.au
> > > http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> > > 
> > 
> > _______________________________________________
> > plug mailing list
> > plug at plug.linux.org.au
> > http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> > 
> 
> _______________________________________________
> plug mailing list
> plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> 

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug


More information about the plug mailing list