The system housing the primary FTP servers for the GNU Software Project has been compromised
an intruder, the Free Software Foundation (FSF) announced Thursday, warning
that a Trojan horse was also found.
The GNU Project, which is a clearing house for a variety of freely
available open-source software, was root compromised sometime
in July 2003 but the FSF did not discover the intrusion until the end of the
month, according to executive director Bradley Kuhn.
“The modus operandi of the cracker shows that (s)he was interested
primarily in using gnuftp to collect passwords and as a launching point to
attack other machines. It appears that the machine was cracked using a
ptrace exploit by a local user immediately after the exploit was posted,”
He said the Foundation did a substantial investigation of the server
breach but found no evidence that source code was compromised. “The evidence
includes the MO of the cracker, the fact that every file we’ve checked so
far isn’t compromised, and that searches for standard source trojans turned
up nothing,” Kuhn added.
However, the Foundation is warning that some files may still be
compromised. “Given the nature of the compromise and the length of time the
machine was compromised, we have spent the last few weeks verifying the
integrity of the GNU source code stored on gnuftp. Most of this work is
done, and the remaining work is primarily for files that were uploaded since
early 2003, as our backups from that period could also theoretically be
compromised,” he explained.
Kuhn said the unchecked files will be listed in the project’s root
directory as ‘MISSING-FILES’ until trusted secure checksums can be made
As a result of the compromise, Kuhn said the Foundation would immediately
discontinue local shell access to the FTP server for GNU maintainers.
In a separate advisory, the CERT
Coordination Center warned that the compromise poses a “serious threat.”
“Because this system serves as a centralized archive of popular software,
the insertion of malicious code into the distributed software is a serious
threat,” CERT/CC said, warning that the potential exists for an intruder to
have inserted back doors, Trojan horses or other malicious code into the
source code distributions of software housed on the compromised system.
CERT/CC is encouraging sites using the GNU software obtained from the
compromised system to verify the integrity of their distribution. “Sites
that mirror the source code are encouraged to verify the integrity of their
sources. We also encourage users to inspect any and all other software that
may have been downloaded from the compromised site,” the Center added.