N
NAKAMURA, Hiroshi
Hi,
RAA restarted.
Summary: On 7. Jun 2004, RAA restarted its service. We think the data
RAA keeps is clean but we have a favor to ask RAA project owners; PLEASE
CHECK YOUR RAA ENTRIES AND UPDATE IT FOR CONFIRMATION.
(1) Open your project page
(2) Check project information
(3) Go update page
(4) Press "submit" button even if you don't think any update needed
(it's for confirmation)
http://raa.ruby-lang.org
As we ruby-lang.org administrators group announced in
[ruby-talk:101747][1], we detected penetration into helium.ruby-lang.org
on 28. May 2004. Helium was the canonical name of raa.ruby-lang.org,
which hosts whole RAA service. RAA has been down since 28. May 2004.
While the service stop, we did detailed investigation into possible
interpolation of resources on the machine, but found nothing. From our
investigation, only the possible exploit that intruder(s) could use is
"CVS remote vulnerability" that came Coordinated Public Disclosure on
19. May 2004[2]. We ran our anonymous cvs service in chroot protected
environment and it is estimated that intruder(s) failed to get local
privilege escalation.
But we cannot prove that no interpolation have done even if we haven't
found any evidence. So we reinstalled whole RAA software and did the
following data verification.
* We made a daily diff of RAA data from 1) the clean RAA data copy
backed up in 27 Mar, 2) daily backups from 4 Apr to 28 May, and 3) the
latest RAA data of 28 May.
2) and 3) are located on chroot protected area on the machine.
1) is clean because it was kept in development environment.
* RAA data update:
http://raa.ruby-lang.org/announce/soapbox-diff-all-passphrasemask.txt
* RAA new entry:
http://raa.ruby-lang.org/announce/soapbox-new-passphrasemask.txt
* We confirmed that above whole diffs are not suspicious.
It can be concluded that the RAA data of 28 May (the same data we use
for RAA service restart) does not include any suspicious information.
And we decided to restart the RAA service as it was in 28 May. But we
cannot offer assurances that normal-looking change by intruder never be
included. For example, the change of sampleproject on 18. May is as
follows;
== sampleproject
- updated: Sun May 09 12:35:19 GMT+9:00 2004
+ updated: Mon May 17 13:00:38 GMT+9:00 2004
- version: 0.0.8
+ version: 0.1.1
We don't see any suspicious sign about this but it's not impossible to
suspect it of an interpolation by intruder. So we have a favor to ask
RAA project owners; PLEASE CHECK YOUR RAA ENTRIES AND UPDATE IT FOR
CONFIRMATION.
(1) Open your project page
(2) Check project information
(3) Go update page
(4) Press "submit" button even if you don't think any update needed
(it's for confirmation)
Please contact (e-mail address removed) if you find any suspicious data
in RAA, or you have any question. Thank you for your cooperation.
Regards,
// NaHi, a member of (e-mail address removed)
[1] http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/101747
[2] http://security.e-matters.de/advisories/072004.html
RAA restarted.
Summary: On 7. Jun 2004, RAA restarted its service. We think the data
RAA keeps is clean but we have a favor to ask RAA project owners; PLEASE
CHECK YOUR RAA ENTRIES AND UPDATE IT FOR CONFIRMATION.
(1) Open your project page
(2) Check project information
(3) Go update page
(4) Press "submit" button even if you don't think any update needed
(it's for confirmation)
http://raa.ruby-lang.org
As we ruby-lang.org administrators group announced in
[ruby-talk:101747][1], we detected penetration into helium.ruby-lang.org
on 28. May 2004. Helium was the canonical name of raa.ruby-lang.org,
which hosts whole RAA service. RAA has been down since 28. May 2004.
While the service stop, we did detailed investigation into possible
interpolation of resources on the machine, but found nothing. From our
investigation, only the possible exploit that intruder(s) could use is
"CVS remote vulnerability" that came Coordinated Public Disclosure on
19. May 2004[2]. We ran our anonymous cvs service in chroot protected
environment and it is estimated that intruder(s) failed to get local
privilege escalation.
But we cannot prove that no interpolation have done even if we haven't
found any evidence. So we reinstalled whole RAA software and did the
following data verification.
* We made a daily diff of RAA data from 1) the clean RAA data copy
backed up in 27 Mar, 2) daily backups from 4 Apr to 28 May, and 3) the
latest RAA data of 28 May.
2) and 3) are located on chroot protected area on the machine.
1) is clean because it was kept in development environment.
* RAA data update:
http://raa.ruby-lang.org/announce/soapbox-diff-all-passphrasemask.txt
* RAA new entry:
http://raa.ruby-lang.org/announce/soapbox-new-passphrasemask.txt
* We confirmed that above whole diffs are not suspicious.
It can be concluded that the RAA data of 28 May (the same data we use
for RAA service restart) does not include any suspicious information.
And we decided to restart the RAA service as it was in 28 May. But we
cannot offer assurances that normal-looking change by intruder never be
included. For example, the change of sampleproject on 18. May is as
follows;
== sampleproject
- updated: Sun May 09 12:35:19 GMT+9:00 2004
+ updated: Mon May 17 13:00:38 GMT+9:00 2004
- version: 0.0.8
+ version: 0.1.1
We don't see any suspicious sign about this but it's not impossible to
suspect it of an interpolation by intruder. So we have a favor to ask
RAA project owners; PLEASE CHECK YOUR RAA ENTRIES AND UPDATE IT FOR
CONFIRMATION.
(1) Open your project page
(2) Check project information
(3) Go update page
(4) Press "submit" button even if you don't think any update needed
(it's for confirmation)
Please contact (e-mail address removed) if you find any suspicious data
in RAA, or you have any question. Thank you for your cooperation.
Regards,
// NaHi, a member of (e-mail address removed)
[1] http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/101747
[2] http://security.e-matters.de/advisories/072004.html