More details on the recent compromise of debian.org machines
Posted on: 11/28/2003 07:17 AM
James Troup has published more details on the recent compromise of debian.org machines
On November 20 it was noticed that master was kernel oops-ing lots. While investigating this it was discovered that murphy was showing the exact same oops, which was an overly suspicious coincidence. Also klecker, murphy and gluck have aide installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and ctime timestamps for /usr/lib/locale/en_US had changed.Read more
Investigation revealed the cause for both these things to be the suckit root kit (see the "Suckit" appendix for more info).