The system housing the primary FTP servers for the GNU Software Project has been compromised an intruder, the Free Software Foundation (FSF) announced Thursday, warning that a Trojan horse was also found.
The GNU Project, which is a clearing house for a variety of freely available open-source software, was root compromised sometime in July 2003 but the FSF did not discover the intrusion until the end of the month, according to executive director Bradley Kuhn.
"The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines. It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted," Kuhn explained.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iHe said the Foundation did a substantial investigation of the server breach but found no evidence that source code was compromised. "The evidence includes the MO of the cracker, the fact that every file we've checked so far isn't compromised, and that searches for standard source trojans turned up nothing," Kuhn added.
However, the Foundation is warning that some files may still be compromised. "Given the nature of the compromise and the length of time the machine was compromised, we have spent the last few weeks verifying the integrity of the GNU source code stored on gnuftp. Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised," he explained.
Kuhn said the unchecked files will be listed in the project's root directory as 'MISSING-FILES' until trusted secure checksums can be made available.
As a result of the compromise, Kuhn said the Foundation would immediately discontinue local shell access to the FTP server for GNU maintainers.
In a separate advisory, the CERT Coordination Center warned that the compromise poses a "serious threat."
"Because this system serves as a centralized archive of popular software, the insertion of malicious code into the distributed software is a serious threat," CERT/CC said, warning that the potential exists for an intruder to have inserted back doors, Trojan horses or other malicious code into the source code distributions of software housed on the compromised system.
CERT/CC is encouraging sites using the GNU software obtained from the compromised system to verify the integrity of their distribution. "Sites that mirror the source code are encouraged to verify the integrity of their sources. We also encourage users to inspect any and all other software that may have been downloaded from the compromised site," the Center added.