forum.opennet.ru

Составление сообщения

Исходное сообщение

"Инфраструктура проекта FreeBSD подверглись взлому, не исключ..."
Отправлено Михрютка, 18-Ноя-12 17:47

на слешдоти пишут:
http://it.slashdot.org/comments.pl?sid=3257875&cid=42017989
The security team and cluster admin has also been working very hard over the past few months to partition the FreeBSD cluster a lot better. If this attack had happened in a month or two, you wouldn't be hearing about it because nothing of value would have been compromised. The attack was against the legacy package building infrastructure, which is due to be retired soon. It was able to get access to more systems because it had the developers' home directories mounted (this isn't be the case with the new system, which is completely isolated). They're also rolling out the new audit logging daemon, which should mean that this sort of thing would be detected much sooner in the future.
We were lucky. The attackers seemed not to know what they'd found. There was an (apparently) automated scan for ssh keys (which have now all been revoked) and that's about it. They seemed to be trying to add the machine to a botnet, rather than to attack it directly. We believe that they got access via a compromised developer VM which had an ssh key that connected to the cluster (for doing svn+ssh commits), so it's possible that it was an entirely automated attack. They attempted to run a load of Linux admin commands and apparently gave up when they didn't work. As far as we can tell, they didn't actually modify anything (although, of course, the compromised machines are offline pending imaging for forensic analysis and clean reinstalls or replacement, just in case). The announcement tells you not to trust any of the things that we know that they could have touched, but it currently looks like there's a very low probability that they did touch anything. For example, they might have modified ports / base cvs, but the top of the tree is identical to the svn tree (which had off-site backups, and has had every recent commit manually audited) and so they'd have had to insert something bad and then remove it in a subsequent CVS version, and that seems unlikely. Verifying cvs is pretty hard, which is part of the reason why we're encouraging everyone to move to svn now.
мнэ это особенно понравилось: They attempted to run a load of Linux admin commands and apparently gave up when they didn't work.
ггг

Исходное сообщение
"Инфраструктура проекта FreeBSD подверглись взлому, не исключ..." Отправлено Михрютка, 18-Ноя-12 17:47
на слешдоти пишут: http://it.slashdot.org/comments.pl?sid=3257875&cid=42017989 The security team and cluster admin has also been working very hard over the past few months to partition the FreeBSD cluster a lot better. If this attack had happened in a month or two, you wouldn't be hearing about it because nothing of value would have been compromised. The attack was against the legacy package building infrastructure, which is due to be retired soon. It was able to get access to more systems because it had the developers' home directories mounted (this isn't be the case with the new system, which is completely isolated). They're also rolling out the new audit logging daemon, which should mean that this sort of thing would be detected much sooner in the future. We were lucky. The attackers seemed not to know what they'd found. There was an (apparently) automated scan for ssh keys (which have now all been revoked) and that's about it. They seemed to be trying to add the machine to a botnet, rather than to attack it directly. We believe that they got access via a compromised developer VM which had an ssh key that connected to the cluster (for doing svn+ssh commits), so it's possible that it was an entirely automated attack. They attempted to run a load of Linux admin commands and apparently gave up when they didn't work. As far as we can tell, they didn't actually modify anything (although, of course, the compromised machines are offline pending imaging for forensic analysis and clean reinstalls or replacement, just in case). The announcement tells you not to trust any of the things that we know that they could have touched, but it currently looks like there's a very low probability that they did touch anything. For example, they might have modified ports / base cvs, but the top of the tree is identical to the svn tree (which had off-site backups, and has had every recent commit manually audited) and so they'd have had to insert something bad and then remove it in a subsequent CVS version, and that seems unlikely. Verifying cvs is pretty hard, which is part of the reason why we're encouraging everyone to move to svn now. мнэ это особенно понравилось: They attempted to run a load of Linux admin commands and apparently gave up when they didn't work. ггг

Ваше сообщение

Имя*:

EMail:

Для отправки ответов на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру