[kaffe] [OffTopic] Savannah has been compromised

Jim Pick jim at kaffe.org
Thu Dec 4 13:20:04 PST 2003

On Thu, 04 Dec 2003 00:54:24 +0100
Dalibor Topic <robilad at kaffe.org> wrote:

> Hi all,
> since I haven't received any news on this yet, and many people here 
> probably contribute to one project on Savannah or another, I just wanted 
> to spread the news that savannah.gnu,org has been compromised. cracked. 
> broken in. just like debian last week.

Scary stuff.  It's got me spooked.  I ran chkrootkit on our server, and
it looks like it's OK.

Actually, it did show this:

 Checking `lkm'... You have     1 process hidden for readdir command
 You have     1 process hidden for ps command
 Warning: Possible LKM Trojan installed

But that's a common false positive due to the way it does the test (due
to a mismatch between Debian's 'ps' command output and /proc).  Just to
be sure, I removed kernel module support from the kernel, and it still
does it.  My web server at home had some false positives as well - yay.

I also upgraded to kernel 2.4.23 (because of the latest ptrace bug that
was used to compromise Debian), and updated rsync (which was used to
compromise Gentoo).

We don't have a lot of user accounts on the server, and I usually
upgrade packages within hours of reading the Debian security advisories,
so I think we've been lucky so far.

I think with all of these high-profile comprosises lately, I'm going to
take some measures to tighten up security on the server even more.
There's a few things I've been wanting to experiment with, like moving
some services out of the main server environment to individual user-mode
Linux "virtual machines", and even running some of the services on Kaffe
itself.  And I'll probably look at ways of tightening up password
security, etc.  This should only affect the few developers that have
accounts on the server - it probably affects me the most.

For the rest of the users, I strongly encourage you to use the GPG
signature files that I make for every release to verify that the
released files have indeed been signed by my private GPG key.  There are
instructions in the signature file on how to do this.  This way, you can
be sure that you are not building from Trojan'ed sources, in the
possible event where Kaffe.org has been compromised.


 - Jim

More information about the kaffe mailing list