View Source

Original issue date: August 13, 2003<br>
Last revised: -- <br>
Source: CERT/CC<br>

<p>A complete revision history is at the end of this file.</p>

<h2>Overview</h2>

<p>The CERT/CC has received a report that the system housing the
primary FTP servers for the GNU software project was compromised.</p>
<br>
<h2>I. Description</h2>

<p>The <a href="http://www.fsf.org/gnu/thegnuproject.html">GNU
Project</a>, principally sponsored by the <a
href="http://www.fsf.org/">Free Software Foundation</a> (FSF),
produces a variety of freely available software.  The CERT/CC has
learned that the system housing the primary FTP servers for the GNU
software project, <font face="courier">gnuftp.gnu.org</font>, was root
compromised by an intruder.  The more common host names of <font
face="courier">ftp.gnu.org</font> and <font
face="courier">alpha.gnu.org</font> are aliases for the same
compromised system.  The compromise is reported to have occurred in
March of 2003.

<p>The FSF has released an <a
href="ftp://ftp.gnu.org/MISSING-FILES.README">announcement</a>
describing the incident.

<dl>
<dd>
	      </dd></dl>

<p>Because this system serves as a centralized archive of popular
software, the insertion of malicious code into the distributed
software is a serious threat.  As the above announcement indicates,
however, no source code distributions are believed to have been
maliciously modified at this time.</p>

<h2>II. Impact</h2>

<p>The potential exists for an intruder to have inserted back doors,
Trojan horses, or other malicious code into the source code
distributions of software housed on the compromised system.</p>

<h2>III. Solution</h2>

<p>We encourage sites using the GNU software obtained from the
compromised system to verify the integrity of their distribution.

<p>Sites that mirror the source code are encouraged to verify the
integrity of their sources.  We also encourage users to inspect any
and all other software that may have been downloaded from the
compromised site.  Note that it is not always sufficient to rely on
the timestamps or file sizes when trying to determine whether or not a
copy of the file has been modified.</p>

<h4>Verifying checksums</h4>

<p>The FSF has produced PGP-signed lists of known-good MD5 hashes of
the software packages housed on the compromised server.  These lists
can be found at</p>

<dl>
<dd><a href="ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc">ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc</a></dd>
<dd><a href="ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc">ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc</a></dd>
	      </dl>

<p>Note that both of these files and the announcement above are signed
by Bradley Kuhn, Executive Director of the FSF, with the following PGP
key:

<pre>
<font face="courier">
pub  1024D/DB41B387 1999-12-09 Bradley M. Kuhn &lt;bkuhn@fsf.org&gt;
     Key fingerprint = 4F40 645E 46BE 0131 48F9  92F6 E775 E324 DB41 B387
uid                            Bradley M. Kuhn (bkuhn99) &lt;bkuhn@ebb.org&gt;
uid                            Bradley M. Kuhn &lt;bkuhn@gnu.org&gt;
sub  2048g/75CA9CB3 1999-12-09
</font>
</pre>

<p>The CERT/CC believes this key to be valid.

<p>As a matter of good security practice, the CERT/CC encourages users
to verify, whenever possible, the integrity of downloaded software.
For more information, see <a
href="http://www.cert.org/incident_notes/IN-2001-06.html">IN-2001-06</a>.


<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>

   <p>

     This appendix contains information provided by vendors for this
     advisory.  As vendors report new information to the CERT/CC, we
     will update this section and note the changes in our revision
     history.  If a particular vendor is not listed below, we have not
     received their comments.
   </p>

<a name="fsf">
<h4><a href="http://www.fsf.org/">Free Software Foundation</a></h4>

<pre>
<font face="courier">
   The current files on alpha.gnu.org and ftp.gnu.org as of 2003-08-02 have
   all been verified, and their md5sums and the reasons we believe the
   md5sums can be trusted are in:

       ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc
       ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc

   We are updating that file and the site as we confirm good md5sums of
   additional files.  It is theoretically possible that downloads between
   March 2003 and July 2003 might have been source-compromised, so we
   encourage everyone to re-download sources and compare with the current
   copies for files on the site.
</font>
</pre>
<!-- end vendor -->

<a name="references"></a>
<h2>Appendix B.  References</h2>
<ul>
<li>FSF announcement regarding the incident - <a
href="ftp://ftp.gnu.org/MISSING-FILES.README">ftp://ftp.gnu.org/MISSING-FILES.README</a></li>
<li>CERT Incident Note IN-2001-06 - <a
href="http://www.cert.org/incident_notes/IN-2001-06.html">http://www.cert.org/incident_notes/IN-2001-06.html</a>
</ul>

<hr noshade>
<p>The CERT/CC thanks Bradley Kuhn and Brett Smith of the Free
Software Foundation for their timely assistance in this matter.</p>

<hr noshade>
<p>
Feedback can be directed to the author: 
<a href="mailto:cert@cert.org?subject=CA-2003-21%20Feedback%20CERT%2326310">Chad Dougherty</a>.
</p>


<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
<pre>
August 13, 2003: Initial release
</pre>
</p>