Hackers have forced the Gentoo Linux project to take a server offline.
The attack and subsequent compromise comes after several machines belonging to the Debian Linux project were breached by attackers last month. A forensic analysis of the Debian machines revealed that no software packages or source code offered for download were affected--a claim now being made by Gentoo. The maintainers of the Gentoo Linux distribution released a statement that describes the incident: "One of the servers that makes up the rsync.gentoo.org rotation was compromised via a remote exploit," it reads. "The compromised system had both an IDS and a file integrity checker installed and...we are reasonably confident that the portage tree stored on that box was unaffected."
The Gentoo team claimed that the breach was detected within approximately 1 hour. "During this time, approximately 20 users synchronized against the portage mirror stored on this box. The method used to gain access to the box remotely is still under investigation. We will release more details once we have ascertained the cause of the remote exploit," the statement said. The machine didn't actually belong to the project. It was donated by a sponsor, whose identity so far undisclosed.
News source: C|Net News.com
The attack and subsequent compromise comes after several machines belonging to the Debian Linux project were breached by attackers last month. A forensic analysis of the Debian machines revealed that no software packages or source code offered for download were affected--a claim now being made by Gentoo. The maintainers of the Gentoo Linux distribution released a statement that describes the incident: "One of the servers that makes up the rsync.gentoo.org rotation was compromised via a remote exploit," it reads. "The compromised system had both an IDS and a file integrity checker installed and...we are reasonably confident that the portage tree stored on that box was unaffected."
The Gentoo team claimed that the breach was detected within approximately 1 hour. "During this time, approximately 20 users synchronized against the portage mirror stored on this box. The method used to gain access to the box remotely is still under investigation. We will release more details once we have ascertained the cause of the remote exploit," the statement said. The machine didn't actually belong to the project. It was donated by a sponsor, whose identity so far undisclosed.
News source: C|Net News.com
Barclays and Royal Bank of Scotland (RBoS) expect to have the majority of their customers moved by the end of 2004, but both will stretch into 2005 to complete the migration.
And HSBC has confirmed that it will take two years to move its six million customers to chip-based cards, with the bank's rollout programme only expected to be concluded by the end of 2005.
HBOS plans to start its rollout in the first quarter of 2003 and expects to take about 18 months to refresh its debit card customer base with new cards.
"We have quite a short period to get cards out to our eight million debit card holders, which we plan to have done by mid-2005," said John Capper, HBOS manager for service and delivery strategy banking.
"We've been through the scoping and design phases, and we'll move into the implementation stage early next year."
Abbey, meanwhile, confirmed that it will have issued its 4.5 million debit card customers with new cards by the end of 2004, while its internet subsidiary Cahoot has been issuing chip-based cards since July.
Abbey is giving customers new cards as their old ones expire or are lost, a process that has been accelerated by shortening the expiry date on many cards, ensuring that the replacement cycle falls within the timeframe.
Anyway what are you going on about, t wasn't a DOS attack, it was a straightforward hack, a compromise.
Sh*t happens.
Q
Q
Long live windows!
they still dont know how it was comprimised. what do you mean it was announced in september
And a fix was released a month before the virus was released, what's your point?
They're both man made, they have flaws, like you and me
It really is about finding and addressing problems. The fact that Microsoft charges a bundle for thier software, and Linux is available free should not make it forgiveable for Linux to have the same number of security problems. In order for Linux to survive and thrive it must be superior to other offerings, not just offer a better bugs-to-price ratio.
It wasn't Gentoo's server that got hacked, it was a third party that held some content (like if Microsoft patches are stored on serverspace owned by someone else - they don't do this because they are wealthy) holding copies of Gentoo code. Those people need to carefully and dutifully install their updates. It does show a good sign that they were able to identify and isolate within an hour. Not bad!
Windows uses poor security management - running as "root" etc. provide those same flaws glaringly in Linux, Mac OS, Unix, *nix, any OS. The main arguement about Microsoft security beyond the "hey, I'm a cool geek that does things different and I hate the man" kids that flood the OS community is those security holes that would prevent the spread of many virii - not the concept that only a windows box can be hacked - or any other false security hope.
Why is it that everytime a flaw is found in a FREE OS - all the non-*nix and non-OS users on Neowin just piss their pants in glee over it? Should we all be a bit pissed that some jerkweed is again playing havoc out of boredom or out of greed with other people's security and information? We have a twisted little group here.
And I most WHOLE-HEARTEDLY agree with you on your comment that many (ok, maybe it is the vocal minority) Neowin users take glee in exploits on thier non-favored OS. It is rather child-like. I have never made an issue of trying to provoke or troll Windows users when an exploit is found. I have even made comments to argue against irrational MS-haters. The computing world gets nowhere with failures and losers, so why do these vocal people focus on the negative? When a Win exploiut gets big, I have to deal with a flooded Inbox on my Linux system, too.
The only solution is to make reasonable points and counterpoints in discussion, and let the conversations drop when others have the hate blinders on. (you can tell, because they are the ones that will make personal comments.
As a person sympathetic to MS, I do feel a bit of glee on the fact that the *nix zealots have, in fact, been proven wrong. I am glad *nix is making strides in the OS world, mainly because it will force MS to create better products, but also because we can finally see just how godly *nix is when the OS becomes a target; and so far, it has not impressed me much.
Money has nothing to do with it. Yes, MS pays its employees to build applications while the Linux community relies upon bright individuals who love coding for their OS; but that has absolutely nothing to do about it. They are all people doing what they love, and there will be flaws in anything that is built.
Q
So does Tech. There is no excuse for a personal attack.
Winning an online argument is like winning Olympic Curling. No one cares, excpet those involved.
true words
Crackers don't care about right/wrong or good/bad. They see challenges and opportunities to show how 1337 they are.
The correct word in this context is and will always be "cracked". Refer to the Jargon File to know why.
End of rant.
If most of society shifts to using the word "hack," then the word will be "hack." It's the same with incorrect phrases like "could care less": they're wrong and dumb, but they're starting to make their way into dictionaries as alternate phrases and words.
[checks to ensure he did not accidentally repeat the "hack" comment]
[sees he changed the term to "cracked" in his post]
I feel the same way as you do on this. Another one I hear a lot is "irregardless".
In any case this is a stoopid debate. Gentoo is not like other versions of Linux. Most of you Windows folk's brains would explode through the sheer effort of trying to install it. It is an Ubergeek's Linux version - and utterly ailien to anything many here would understand as Linux. The fact that one small server was compromised in a chain of hundreds that make up the Gentoo portage system is of such minor significance to be virtually irrelevant. So one gate was left inadvertantly open - and was then quickly closed. So what? There are many, many gates (and many, many servers) in the Gentoo portage tree. You would have to literally break through them all before you stood a chance of doing any significant damage.
You are looking in the wrong place if you want a Linux v's Windows flamewar. When it comes to Gentoo, there are virtually no similarities to compare against.
Q
the thing is its not even your sig. it is a Q you put at the end of your posts thinking it makes you look cool. it has nothing to do with you name, nothing to do with anything. its a letter you believe is "cool" cause its not used often. you think it makes you look sophisticated and make it seem as if your post is actually intelligent when really its not. you are nothing but an idiot.
now listen up. gentoo linux's are built upon the same code. yes, people may modify it to their will, but the kernel is the same. if one server got hacked with this vulnerability (specifically, the gentoo site itself) then all servers have this hole, until a patch is applied or something else is changed. if one windows xp is vulnerable to msblaster, they all are, unless a patch is applied. so get this through your thick stupid head. this DOES mean a lot. it means every gentoo linux that does not have a patch applied that fixes the problem (hell gentoo doesnt even know how it happened) is effected and vulnerable. so please, next time, try to think for at least an hour or two before making a post because obviously, thats the amount of time it should take you to create a message that a 6 year old can do in 5 mins.
X
That matter fully depends on what sources were being used for the kernel on the rsync server.
Because with Gentoo, the users are not forced t o use a single kernel code, there are multiple kernel sources available for use, ranging from the latest linux.org 2.6 test kernels to specifically optimized kernels like Gentoo's own "gentoo-sources" and "gaming-sources".
raid is right about one thing, the portage system is massive. It would take a lot to fully break it.
And specifically, it was not the "gentoo site" itself, but one of the rsync servers that holds a mirror copy of the portage tree.
And if you'll notice, Gentoo posted yesterday two GLSA's for an rsync exploit and a kernel do_brk() exploit, which they believe was the cause of this attack.
Anyway I can aford to laugh at you on this one, I mean come back when you even know what you are talking about or even remotely understand the portage system. Indeed come back here whimpering and blubbering only after you attempt to install Gentoo. Go on I dare you.... Try it even on a virtual machine, then we will get a very clear idea that the truth is you really don't know what the hell you are talking about.
Not the 'whole portage tree' was compromise, it was just one node, and his was simply likely to be due to user error - it was a third party server and therefore not owned or controlled in any way by the Gentoo development team.
Instaling Gentoo is a rite of passage in the Linux world. It is a test of skill and endurance - with installs taking as much as 5 solid days on slower machines and only when you have installed it succesfully a least once - even if you never use it again afterwards can you really be in any position to comment.
Now if you want to fight on about something you clearly don't understand, or just because you don't like my name, then fair enough. Its all pretty stupid if you ask me.
Q
Actually it does look like now that the rsync vulnerability was the cause... Gentoo's GLSA is high severity and recommending everyone upgrade to rsync-2.5.7.
http://www.gentoo.org/security/en/glsa/glsa-200312-03.xml
and i know, the major part of the vast audience of this site, use the best freedom-security tradeoff
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.