The lockout took place due to the fact a compromised developer account was used to take control of the server, according to an e-mail sent to the community by Debian developer Martin Schulze shortly before 4am today AEST.
"At least one developer account has been compromised a while ago and has been used by an attacker to gain access to the Debian server," Schulze wrote.
The developer said the attacker then used a recently discovered vulnerability in the Linux kernel to gain root -- or admin -- access on the server.
"An investigation of developer passwords revealed a number of weak passwords whose accounts have been locked in response," Schulze wrote.
While the compromised server -- dubbed "gluck" -- has had its software reinstalled and is now back online with all services intact, other parts of Debian's infrastructure remain closed off from casual access.
"Other Debian servers have been locked down for further investigation whether they were compromised as well," wrote Schulze. "They will be upgraded to a corrected kernel before they will be unlocked."
Beware
Schulze said the particular Linux vulnerability only
exists in kernel versions:
- 2.6.13 up to versions before 2.6.17.4
- 2.6.16 up to versions before 2.6.16.24
Schulze advised admins to upgrade their software if they were using these versions but said the current stable version of Debian was not affected as it run kernel 2.6.8.
Wider damage to Debian's infrastructure may have been avoided. "Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," wrote Schulze.
"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."
The embarassing security breach is not the first for Debian. In November 2003 several of Debian's servers were similarly compromised and pulled offline.
For an organisation living on grants, donations and good ole fashion working for the elusive taste of bettering humanity.
What am I trying to say? I'm not sure really, just surprises me that most articles about "some open source organisation get's hacked" have just the slightest wiff of "see, there, open source is crap."
When in my opinion it should be leaning towards, "WTF, how can this ONLY happen X times per year, when it happens to commercial operations [who get paid, not a pat on the back, paid] X+/-2 times per year."
Myke
I will cast the first stone.