danger on codespeak / password change neccessary!
hello users of codespeak, we today discovered that the account 'nico' on codespeak.net has been compromised probably due to a bad password. Before i go into some details please *change your password* immediately. Besides users of codespeak.net this also affects all non-anonymous users of cvs.infrae.com (still an alias for codespeak.net). Every non-changed password will be reset to some random password automatically after 2 days (on 6th of february). We currently think that the attacker was not able to gain more than user access and was not able to modify other than the user's files. If we find evidence of a more severe breakin than just abuse of one user account we may switch off the server without further notice. As the attacker effectively got to some encrypted information in /etc/shadow (see later how) he may now be able to crack any naive password in the next days. So please change your password - or even better - also install SSH-RSA Keys so you don't need to have a nice'n easy password. Here are some more details about our current findings. - the attacker installed new ssh-RSA keys and changed the password of the compromised account - he went through a lot of configuration files in /etc and tried to change them (unsuccessfully as far as we see it). - he then went on to install and run some password cracker and IRC-net utilities (at least 'psybnc-2.3.1-8' and 'john-1.6') and ran them. - the attacker obviously didn't like 'vi' because he tried to find other editors like 'pico' which were unfortunately not installed :-) - he actually run the password cracker app for around 217 minutes accumulated time (when we killed it off). - he was able to create a password file which resembled encrypted information from /etc/shadow which is normally not accessible by users. Now the question is how he did the attacker get to this information which he didn't have direct access rights to? The probable answer (juding from the web server's logfiles) is that he was able to gain acess to a subversion-checkin of /etc/shadow at http://codespeak.net/svn/sysconf/thoth.codespeak.net/etc/shadow While everything under /svn/sysconf/ is not accessible anonymously *viewcvs* bypasses access control as it doesn't use the apache-layer but directly works with the repository on the file system layer. Apparently he found that by googling for it. Thus he was able to get to the encrypted information on which he then started 'john', the password cracker. Our countermeasures so far included: - disabling of login/ssh/public_html access for nico - killing two user-processes (one for IRC proxy-bots and one for password cracking) - generically preventing any URL with something like 'sysconf/thoth.codespeak.net' in it in order to not leak sensible system information - continued analysis of traces, logfiles and system binaries which could be used to hide traces. (actually the modern way of hiding traces is to install a kernel module which hides itself from 'lsmod' and additionally hides processes and directories following specific patterns. But it doesn't seem like the attacker was able to do this especially because he didn't know how to handle vi :-) However, as we must assume that the /etc/shadow encrypted information is now out there we it's an important safety measure probably a good idea that everybody changes his/her password unless you are sure that you have a very good password (like the ones we usually generate for new users). If you don't know your password anymore or if you want a good random one just sent me an mail. Please don't look around the codespeak system (e.g. into /etc) in the next days when you login but just change your password. Otherwise we may assume that another account is about to be cracked ... or if you really want to look around (you are welcome) then mail us before you start. sorry for the inconvenience, holger
holger krekel wrote:
Holger, I'm still a little confused as to which passwords need to be changed. Is this just for those people that have a shell access to codespeak.net, or does it affect those with just svn/cvs access too? Should we also change our wiki/roundup/mailing list passwords? Sorry about the break-in. I hope you have everything under control. -Rocco
On Tue, Feb 03, 2004 at 01:11:53AM +0100, holger krekel wrote:
we today discovered that the account 'nico' on codespeak.net has been compromised probably due to a bad password.
Ouch. That's very embarassing. That account was created for me during the berlin sprint and I used it to contribute to the pypy EU proposal when I was there and during the following weeks. I have never used it since. Holger, could you send me a tarball of the home dir for me to check that nothing important was there ? I'm not even sure I ever logged in using a shell. I apologize for the trouble. I never changed that password. Next time, we'll have to let the system generate one instead of picking up the first word that comes to mind that will make a better temporary password. -- Nicolas Chauvat logilab.fr - services en informatique avancée et gestion de connaissances
holger krekel wrote:
hello users of codespeak,
[lots 'o trouble, sorry to hear that]
sorry for the inconvenience,
My immediate reaction would be to disallow password only logins via ssh and to enforce to use keys with non-empty passphrases. Also don't use email without encryption to give new passwords out. I have been hosed by this two times (last millennium of course :-) cheers - chris (yes has been a small ISP) -- Christian Tismer :^) <mailto:tismer@stackless.com> Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a : *Starship* http://starship.python.net/ 14109 Berlin : PGP key -> http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/
On Friday 06 February 2004 05:13 am, Christian Tismer wrote:
*blink* how do you force sshd to only accept keys with non-empty passphrases? The passphrase is a client-side issue, not under the control of the server's system administrator. Having sshd only accept authentication by key and not by password would indeed strengthen security a bit (but unless all clients use passphrases and/or keep their private keys securely -- nowadays, this means on a USB key of some sort, such as those that they're starting to build into wristwatches, pens, etc -- only a bit).
However, it's quite safe for a server's sysadm to receive ssh public keys in unencrypted email. The worst a baddy can do upon intercepting that is allow the client to login to the baddy's computer in a man-in-the-middle attempt, but he could do that easily anyway with a tweaked sshd that accepts any private key -- the real defenses against MitM attacks are others (including client's awareness of the server's identification key...!!!). Alex
Alex Martelli wrote:
Unfortunately, the only thing you can do about it is to beg, of course.
Well, I think it's a bit more, even without a phrase. Although ssh encrypts passwords as well, these are exposed to other services, and people tend to use the same passwords in many places. The fact that the user has to use a special key makes this access method less vulnerable per se. There is nothing to be sniffed elsewhere and used here.
Nice to see the two of us on the same side! cheers - chris -- Christian Tismer :^) <mailto:tismer@stackless.com> Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a : *Starship* http://starship.python.net/ 14109 Berlin : PGP key -> http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/
holger krekel wrote:
Holger, I'm still a little confused as to which passwords need to be changed. Is this just for those people that have a shell access to codespeak.net, or does it affect those with just svn/cvs access too? Should we also change our wiki/roundup/mailing list passwords? Sorry about the break-in. I hope you have everything under control. -Rocco
On Tue, Feb 03, 2004 at 01:11:53AM +0100, holger krekel wrote:
we today discovered that the account 'nico' on codespeak.net has been compromised probably due to a bad password.
Ouch. That's very embarassing. That account was created for me during the berlin sprint and I used it to contribute to the pypy EU proposal when I was there and during the following weeks. I have never used it since. Holger, could you send me a tarball of the home dir for me to check that nothing important was there ? I'm not even sure I ever logged in using a shell. I apologize for the trouble. I never changed that password. Next time, we'll have to let the system generate one instead of picking up the first word that comes to mind that will make a better temporary password. -- Nicolas Chauvat logilab.fr - services en informatique avancée et gestion de connaissances
holger krekel wrote:
hello users of codespeak,
[lots 'o trouble, sorry to hear that]
sorry for the inconvenience,
My immediate reaction would be to disallow password only logins via ssh and to enforce to use keys with non-empty passphrases. Also don't use email without encryption to give new passwords out. I have been hosed by this two times (last millennium of course :-) cheers - chris (yes has been a small ISP) -- Christian Tismer :^) <mailto:tismer@stackless.com> Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a : *Starship* http://starship.python.net/ 14109 Berlin : PGP key -> http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/
On Friday 06 February 2004 05:13 am, Christian Tismer wrote:
*blink* how do you force sshd to only accept keys with non-empty passphrases? The passphrase is a client-side issue, not under the control of the server's system administrator. Having sshd only accept authentication by key and not by password would indeed strengthen security a bit (but unless all clients use passphrases and/or keep their private keys securely -- nowadays, this means on a USB key of some sort, such as those that they're starting to build into wristwatches, pens, etc -- only a bit).
However, it's quite safe for a server's sysadm to receive ssh public keys in unencrypted email. The worst a baddy can do upon intercepting that is allow the client to login to the baddy's computer in a man-in-the-middle attempt, but he could do that easily anyway with a tweaked sshd that accepts any private key -- the real defenses against MitM attacks are others (including client's awareness of the server's identification key...!!!). Alex
Alex Martelli wrote:
Unfortunately, the only thing you can do about it is to beg, of course.
Well, I think it's a bit more, even without a phrase. Although ssh encrypts passwords as well, these are exposed to other services, and people tend to use the same passwords in many places. The fact that the user has to use a special key makes this access method less vulnerable per se. There is nothing to be sniffed elsewhere and used here.
Nice to see the two of us on the same side! cheers - chris -- Christian Tismer :^) <mailto:tismer@stackless.com> Mission Impossible 5oftware : Have a break! Take a ride on Python's Johannes-Niemeyer-Weg 9a : *Starship* http://starship.python.net/ 14109 Berlin : PGP key -> http://wwwkeys.pgp.net/ work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776 PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04 whom do you want to sponsor today? http://www.stackless.com/
participants (6)
-
Alex Martelli -
Armin Rigo -
Christian Tismer -
holger krekel -
Nicolas Chauvat -
Rocco Moretti