GNU server attack raises Linux code concerns

The Free Software Foundation, sponsors of the GNU free software project, said Wednesday that a key server housing the group’s Linux software was broken into by a malicious hacker.

The software, which the Free Software Foundation refers to as GNU/Linux is a variant of Linux that is available free on the Internet.

The intrusion, which took place in March, compromised an FTP server that housed software making up the core of the FSF’s GNU/Linux operating system, according to Bradley Kuhn, executive director of the Free Software Foundation (FSF) in Boston.

Those files included the GNU C language library and compiler, as well as other software utilities, Kuhn said.

The intruder compromised the FSF server using a now-patched vulnerability in a Linux component called PTRACE.

That vulnerability, which could enable attackers to remotely compromise and take control of affected Linux systems, was disclosed in March. No patch for the vulnerability was available when the FSF server was compromised, Kuhn said.

After gaining control of the FSF server, the malicious hacker took steps to disguise the compromise, installed a trojan horse program giving him or her access to the machine and harvested passwords from user accounts on the server, Kuhn said.

The affected accounts belonged to so-called “maintainers,” FSF volunteers who are charged with maintaining various components of the GNU software, he said.

Those people have been notified about the compromise, he said.

After learning of the compromise in late July, FSF staff took the server off-line and replaced it with a secure server. The organization also removed all GNU software from the compromised system.

Since it discovered the problem, the FSF has been methodically reviewing the integrity of thousands of files exposed by the break-in and returning them to their FTP server, Kuhn said.

FSF volunteers have checked the versions of the software from the compromised server with originals in possession of the maintainers as well as copies from backups done before the compromise, he said. As of Thursday, 80% or 90% of the original files have verified and reposted to the server.

The FSF feels confident that the malicious hacker was interested in obtaining passwords, not tampering with the GNU software, Kuhn said.

“We have no evidence that anybody did anything,” he said.

All the same, the FSF encourages GNU users who downloaded software from the site between March and July, as well as Internet sites that mirror the source code from the compromised server to verify the integrity of their GNU software.

In addition to comparing file size and time stamps, users can refer to a list of valid file signatures, known as MD5 hashes, that validate the content of the GNU files, according to the CERT Coordination Center, which issued an advisory about the break-in on Wednesday.

The FSF posted a secure list of MD5 hashes on its server.

According to Kuhn, the FSF fell victim to a new Linux vulnerability and changes in the culture of the Internet.

“We’ve always tried to design the system so it’s convenient,” he said.

“Unfortunately, the world of the Internet that created the Free Software Foundation in 1985 isn’t the world of the Internet in 2003.”

The FSF will be tightening up access to its host servers for volunteers looking to post updates to FSF servers, he said.

The organization will also be requiring its hundreds of volunteer maintainers to post MD5 signatures with each software update. In the past, the FSF had no hard policy on the use of signatures with updates, he said

While it doesn’t undermine the integrity of GNU’s software, the incident is a black eye for the FSF, according to Richard Smith, a Boston-based independent security consultant.

“It’s bad PR, that’s for sure,” Smith said.

The FSF should institute a better system for signing and tracking software updates in the future, Smith said.

“There needs to be some accountability,” he said.