# rsync.gentoo.org rotation server compromised (200312-01)

## Saubloed

GLSA: rsync.gentoo.org rotation server compromised (200312-01)

 *Quote:*   

> - ---------------------------------------------------------------------------
> 
> GENTOO LINUX SECURITY ANNOUNCEMENT 200312-01
> 
> - ---------------------------------------------------------------------------
> ...

 

http://www.securityfocus.com/archive/1/346339

Where is the official gentoo-announce mailing list archive?

Why is there no link on gentoo.org main page to security realated things or something like debian.org "Security Alerts".  :Sad: 

----------

## etnoy

I bet that box was running 2.4.22  :Smile: 

Just look what happened to Debian's servers!

----------

## secondsun72

I would like to know more about the box, was it running Linux even?  If so what distro?  Gentoo probably wasn't even the hacker's target if the box does other things.  Of course attacking Linux is a trendy thing to do, I know people who are getting hit left and right with linux (of course they did with MS too but that is another post).

Oh well here's to no damage done.

----------

## wdreinhart

So, anyone else in favor of moving to gpg-signed ebuilds?  It would make cracks like this a whole lot less dangerous...

----------

## viperlin

yeh, gpg and m5dsum based versions?

i'll probably upgrade my server too if it turns out to be the 2.4.22 kernel, my 40 day uptime dies though

----------

## ciaranm

 *Saubloed wrote:*   

> Why is there no link on gentoo.org main page to security realated things or something like debian.org "Security Alerts". 

 

There will be sometime soon. May take a while for some of the www nodes to sync...

----------

## yanek

AFAIK, the do_brk() integer overflow exploit used to compromise debian servers has been used from a local account, while the announcement refers to "a remote exploit". If so, is it really the same kind of problem?

Should we think that this bug can be exploited from a remote machine, as long as there is a way to pass some data to the machine (through a browser, a post in a ML, anything else ...)

I would be very interested in learning more about it, as it goes far beyond my understanding of the problem.

I don't run any IDS, and don't know much about them. I would be very happy to know what IDS and checker the compromised server is running.

BTW, if you have any good open-source IDS to promote, I would be happy to hear about it and give it a try  :Smile: 

----------

## viperlin

i use a combination of Snort (the opensource kool IDS probably used on the gentoo server) combined with MySQL and ACID it provides a nice web interface for it.

https://forums.gentoo.org/viewtopic.php?t=78718

and yes the debian exploit was "internal" as a password got snooped and allowed a crack from inside the server as a normal user

----------

## Sfynx

The attacker got local access through a rsync vulnerability and then used the brk() kernel vulnerability to gain root.

So we cannot trust any of the rsync boxes anymore. Great.  :Confused: 

----------

## kalisphoenix

The weakest links are always the humans involved, I understand...

Good thing I'm not human.

Debian's handled their issue very well.

It seems to take either a relatively skilled hacker or a rootkit to undermine a good Linux box's security.  I think we should be thankful it doesn't just require a scriptkiddy.

I like how viruses spread like wildfire throughout the Windows world and people complain, but when there is an issue with a Linux server we all band together and try to understand what happened -- another great thing about this community.  There's not much point in wanting or trying to understand a Windows bug; there's nothing you can do about it.

From Debian and Gentoo we have learned:

1)  Move to a new kernel as soon as possible if there is a serious security problem fix.

2)  Your box shouldn't trust anyone at all except root.

3)  You never know what people on the internet are trying to do :-/

4)  When something does happen, image the drives for evidence and do a clean install right away  :Smile: 

These are in no way new -- I just think they're good reinforcements of the things we've been told ever since we were n00bs.

----------

## Senso

 *Quote:*   

> rsync 2.5.6 security advisory
> 
> -----------------------------
> 
> December 4th 2003
> ...

 

----------

## cdunham

Um, there don't seem to be any gentoo-sources for >2.4.20 that aren't ~x86... I can get around this temporarily, but I would think some status upgrades are in order to get the new versions out. I never run ~x86 on production systems (here's a good exception), I'm sure others don't either...

----------

## cdunham

Well, gentoo-sources-2.4.20-r9 supposedly has the patch...

----------

## tomchuk

 *Saubloed wrote:*   

> GLSA: rsync.gentoo.org rotation server compromised 
> 
> Where is the official gentoo-announce mailing list archive?
> 
> 

 

The lists are available from the "lists" link on the main gentoo.org page. Just send a blank email to gentoo-announce-subscribe AT gentoo.org. It's a very low volume list, and GLSA's are posted in a very timely manner.

----------

## punter

I read this forum plus another similar which is now moved to duplicates.

I didn't find an answer to this question however:

"How was the exploit noticed ?"

There's a good chance it was posted and I missed it, can someone link me to the correct place.

Thanks,

Shane

----------

