OT: What's up with the starship?

micahel at gmail.com micahel at gmail.com
Mon Oct 16 12:15:57 CEST 2006


rurpy at yahoo.com wrote:
> Then perhaps he should have said that, in which case I would
> have explained why he did not understand what he read.  Let me
> try again...

Well, let's have some answers then.

> 1. A site which hosts (I think, hence the questions) a number
> of high profile, popular python projects was compomised.

Yes.  However, it doesn't *seem* as if the machine was deliberately
targeted, and I think it's unlikely the attackers were interested in
trojanning software.  But of course the machine was rooted, so it's
pretty hard to be sure of these things.

> 2. It was compromised with a root kit which by their nature,
> often go undetected for a long time.

As far as I can tell, the machine was compromised on 2006-09-02.

Irritatingly we didn't find out until just after logrotate had deleted
the logs for around the time of the attack.

It wasn't a very subtle rootkit -- installing a version of netstat with
different command line options, for example...

> 5. Verifying that such a thing has not happened can be very
> difficult, particularly if the date and other details of the
> compromise cannot be accurately determined.

I guess you should find out from the author of whatever you downloaded
what the checksums should have been for what you downloaded and check
that against what you downloaded.

If you don't still have the downloaded files, I can tell you what the
md5's of the files in the back up are.

> 6. Many organisations give image and pr a higher priority
> than the safety of their customers/users and wave off security
> breechs with "don't worry, everything is fine.  We're sure
> nothing has been touched" when in fact they have no idea.

There is no organization behind python.net.

I am a volunteer.  I help run python.net in my spare time.

> 7. I have seen no public statements or information about
> this leading me to wonder about the stuation and how it's
> being handled, hence my seeking of further information.

I'm sorry, I'm busy trying to get the server going again.

> But, I am still completely at a loss why you, he, or anyone,
> based on the information presented so far,.would conclude
> that the python security problem is unrelated.

Why would it be?  For all it's position in the community, there aren't
actually many python web apps running on python.net, certainly not as
root...

Cheers,
mwh




More information about the Python-list mailing list