[MPlayer-dev-eng] MPHQ server maintainence, upgrade

Arpi arpi at thot.banki.hu
Sun Dec 21 11:31:36 CET 2003


Hi,

> I have a couple of questions, regarding your comments about reinstalling
> the MPHQ server.
> 
> 1) You say on the frontpage that 
> > MPlayerHQ was cracked on November 16 17:50, but noticed 10 minutes
> > later due to some hidden traps. Possibly due to recent lame Linux
> > kernel vulnerability (greetz to kernel devs for not publishing details
> > much earlier).
> 
> a) If the compromise happened on the 16th of November, and you found out
> what vulnerability was used in that attack, then why didn't you alert

we didnt find what vuln was used, that time

> the kernel developers, which were obviously unaware about the security
> implications of the bug, instead of waiting for Debian and Gentoo
> machines to be compromised? If you didn't find out what vulnerability
> was used in that attack, why mention it in the first place?
> b) I've searched both Google and the mailing list archives, but didn't
> find any announcement of the compromise. What happened with the box
> after it was compromised?

as we had no idea how do they come in, we find it better not advertising
that mphq is vulnerable, until we find the problem.
shutting down mphq and waiting for miracles, or do per-file audit of the
whole shit debian were not options.

> 2) In your mail, you state:
> >1. why to reinstall?
> >- mphq was almost cracked recently (noticed in time, thanks to my hidden
> >  traps), thanks to debian and kernel bugs
> 
> Could you clarify that? What Debian bugs were used? I'm not aware of
> any, and I'm sure Debian developers would love to hear about them.

the system was kept up-to-date (as much apt-get update&upgrade can do that),
the public services were configured correctly (no silly configuration
mistakes) so the only cause can be either getting compromised packages from
cracked debian servers, or having some debian packages having some bugs.

i'm monitoring all file changes on an internal server, so we could notice
the rootkit installation attempt immediatelly (and also be sure that no
changes made in public files, like mplayer tarball). but due to high network
traffic, we cant monitor all network stuff, so couldnt find the origin
of the intrusion. i've enabled more carefully logging and monitoring
to find the vuln. when he comes back next time, but it didnt happen.

> 3) Could you, _PLEASE_, stop with the FUD about Debian? Really, it does
> neither side any good.

nope, it's fun :)
and they do deserve it, for their role in the binary distribution/legal
flamewar.


A'rpi / Astral & ESP-team

--
Developer of MPlayer G2, the Movie Framework for all - http://www.MPlayerHQ.hu




More information about the MPlayer-dev-eng mailing list