[pypy-dev] danger on codespeak / password change neccessary!
holger krekel
hpk at trillke.net
Tue Feb 3 01:11:53 CET 2004
hello users of codespeak,
we today discovered that the account 'nico' on codespeak.net
has been compromised probably due to a bad password.
Before i go into some details please *change your password*
immediately. Besides users of codespeak.net this also affects
all non-anonymous users of cvs.infrae.com (still an alias for
codespeak.net). Every non-changed password will be reset
to some random password automatically after 2 days (on 6th
of february).
We currently think that the attacker was not able to gain
more than user access and was not able to modify other than
the user's files. If we find evidence of a more severe
breakin than just abuse of one user account we may switch off
the server without further notice.
As the attacker effectively got to some encrypted
information in /etc/shadow (see later how) he may now
be able to crack any naive password in the next days.
So please change your password - or even better - also install
SSH-RSA Keys so you don't need to have a nice'n easy password.
Here are some more details about our current findings.
- the attacker installed new ssh-RSA keys and changed the
password of the compromised account
- he went through a lot of configuration files in
/etc and tried to change them (unsuccessfully as
far as we see it).
- he then went on to install and run some password cracker
and IRC-net utilities (at least 'psybnc-2.3.1-8' and
'john-1.6') and ran them.
- the attacker obviously didn't like 'vi' because he tried
to find other editors like 'pico' which were unfortunately
not installed :-)
- he actually run the password cracker app for around 217 minutes
accumulated time (when we killed it off).
- he was able to create a password file which
resembled encrypted information from /etc/shadow which is normally
not accessible by users. Now the question is how he did the
attacker get to this information which he didn't have direct
access rights to?
The probable answer (juding from the web server's logfiles) is that he
was able to gain acess to a subversion-checkin of /etc/shadow at
http://codespeak.net/svn/sysconf/thoth.codespeak.net/etc/shadow
While everything under /svn/sysconf/ is not accessible anonymously
*viewcvs* bypasses access control as it doesn't use the
apache-layer but directly works with the repository on the
file system layer. Apparently he found that by googling for
it. Thus he was able to get to the encrypted information on which
he then started 'john', the password cracker.
Our countermeasures so far included:
- disabling of login/ssh/public_html access for nico
- killing two user-processes (one for IRC proxy-bots and one for
password cracking)
- generically preventing any URL with something like
'sysconf/thoth.codespeak.net' in it in order to not leak
sensible system information
- continued analysis of traces, logfiles and system binaries
which could be used to hide traces. (actually the modern way
of hiding traces is to install a kernel module which hides
itself from 'lsmod' and additionally hides processes and
directories following specific patterns. But it doesn't seem
like the attacker was able to do this especially because he
didn't know how to handle vi :-)
However, as we must assume that the /etc/shadow encrypted information
is now out there we it's an important safety measure probably a good
idea that everybody changes his/her password unless you are sure
that you have a very good password (like the ones we usually
generate for new users).
If you don't know your password anymore or if you want a good random one
just sent me an mail.
Please don't look around the codespeak system (e.g. into /etc) in the next
days when you login but just change your password. Otherwise we may
assume that another account is about to be cracked ... or if you
really want to look around (you are welcome) then mail us before
you start.
sorry for the inconvenience,
holger
More information about the Pypy-dev
mailing list