[Discussioni] Main AGNULA Host attacked (and potentially compromised)

The AGNULA project info a agnula.org
Mar 19 Apr 2005 18:45:46 CEST


+-----------------------------------------------------------------+
|                  ______ ______  _     _ _                       |
|            /\   / _____)  ___ \| |   | | |        /\            |
|           /  \ | /  ___| |   | | |   | | |       /  \           |
|          / /\ \| | (___) |   | | |   | | |      / /\ \          |
|         | |__| | \____/| |   | | |___| | |_____| |__| |         |
|         |______|\_____/|_|   |_|\______|_______)______|         |
|                                                                 |
+-----------------------------------------------------------------+

     [Sorry for cross-posting.  Feel free to forward around]

Florence, 19 April 2005

+++ Main AGNULA Host attacked (and potentially compromised)

On Sunday, April 16  2005, the main AGNULA host (agnula.speech.kth.se,
hosting    lists.agnula.org,    www.agnula.org,   download.agnula.org,
devel.agnula.org, muzik.agnula.org  and related services)  was subject
to an attack (see below).  The  attacker(s) (whose identity is unknown
as  of  today) managed   to download, *but   not succesfully   run*, a
backdoor   on the   system;  thanks  to  the  tight  security measures
implemented on the  host -  and after a  thorough  check of the  whole
system - we believe that the latter was *not* compromised.

However, following good security practices   and common sense, we  can
not guarantee the integrity of the host.  Since we had already planned
an extensive upgrade  of the server, we  decided to go down the  safer
route: completely   wipe out  the   system, reinstall  everything from
scratch and  recover backup  data from  the  day before the  attempted
compromise.

The wipeout/installation/recover operations will begin tomorrow (April
20, 2005) early  afternoon (approximately 3:00  p.m., Central European
Time).  They should be concluded *at most*  on Monday (April 25, 2005)
- we  actually   hope to do  everything  much  quicker, but  you  will
understand  our  main concern  in this moment  is reliability  and not
speed.  In the meantime, we urge you to use the mirrors at:

* http://freesoftware.ircam.fr/mirrors/agnula/

* http://ccrma.stanford.edu/mirrors/agnula/

The mailing lists  (including the  archives),  the main web site,  the
AGNULA  Libre Music web site, the  AGNULA Development platform will be
unusable until after the reinstallation process is finished.

We  are quite confident  that you can safely  download and install the
latest released version  of A/DeMuDi  (1.2.1-rc2)  as well as  all the
previous ones, as the relevant ISO images were  uploaded on the server
before  the attack and we  have no tangible  proof that they have been
tampered with.

+++ The attack

The attack used a bug in GForge 3.x "scm" subsystem.

We decided not to immediately disclose full information on the type of
the  attack; we promptly informed to   the maintainers of the affected
program, and we are waiting for the "green light" on their side before
posting details in the wild.

We  urge all administrators   of GForge-based systems  (all 3.x series
seem affected by it) to temporarily disable the "scm" subsystem, until
a proper patch has been issued.

The discovery and  the  analysis  were  conducted by  Filippo  Morelli
<spike a miu-ft.org>.   We would like  to publically  thank  him for his
prompt  action  and detailed   report, that allowed  us  to   take the
necessary steps very quickly.

+++

About  AGNULA:  Agnula (acronym  for   A GNU/Linux Audio distribution,
pronounced  with a strong  g)  is the name  of  a project funded until
April   2004 by  the  European    Commission  (number of     contract:
IST-2001-34879; key action IV.3.3, Free Software: towards the critical
mass).  After the end  of the funded  period, AGNULA is continuing its
work, aiming to spread Libre Software  in the professional audio/video
arena.

Big thanks to the following institutions  for their help in supporting
AGNULA:

- Firenze Tecnologia <http://www.firenzetecnologia.it>

  for paying Free Ekanayaka to work full-time on maintaining A/DeMuDi;

- Swedish Royal Institute of Technology <http://www.kth.se/>

  for housing the main AGNULA server

- IRCAM <http://www.ircam.fr> and CCRMA <http://ccrma.stanford.edu/>

  for providing mirror space and bandwidth

Best regards,

--
The AGNULA Team                                   info a agnula.org        
Our mailing lists:                        http://lists.agnula.org/
Our web site:                               http://www.agnula.org/
"There's no free expression without control on the tools you use"
 



More information about the discussioni mailing list