From: Heiko Z. <he...@zu...> - 2006-10-20 12:53:19
|
Thank you for your feedback Victor. I would appreciate if you could respond to your post on full-disclosure and confirm that there was no problem with Devil-Linux. We need to limit the damage this post has already caused. I forwarded your email to our mailinglist, since non-subscriber emails get deleted. Thanks Heiko ---------------------------- Original Message ---------------------------- Subject: Re: false accusations From: "Victor Grishchenko" <gr...@pl...> Date: Fri, October 20, 2006 04:57 To: "Heiko Zuerker" <he...@zu...> Cc: dev...@li... dev...@li... dev...@li... -------------------------------------------------------------------------- Hi Heiko. On 19.10.2006, at 23:02, Heiko Zuerker wrote: > I am the project leader of Devil-Linux. > First of all our website is up and was not down at any time. It was a coincidence; our proxy cached zero-sized reply for some unknown reason. > I don't know how this bot got on your system, but what you're > writing does > not make any sense. > 1. There's no bot included in the DL sources Yes, sorry. We had an intrusion. > 2. I can never have been compiled on a running DL system, because > there > are no compilers included. Indeed. The intruder downloaded a tar both with binaries and sources. We mistakenly decided that he compiled it right on the site. > 3. It can only have been introduced (compiled from source as you > say) if > the machine you compiled DL on, was compromised. Unlikely. The intruder's bash_history from the DL host is attached. > 4. The location you specify (/shm) is a ramdisk. So it must be > copied onto > the system after it boots up. This can only be the case if you have > the > system wide open and somebody can log in easily. Yes. Most probably he logged in using public key login from another intranet host. We found a DMZ host which is the most probable initial point of the intrusion. Also, we've "seized" a ton of haxor tools. The intrusion chain was non-obvious, so we mistakenly suspected DL. The mail was sent to full-disclosure mostly because the DL site appeared "down". There are no problems with DevilLinux distro. My excuses! Victor -- Regards Heiko Zuerker http://www.devil-linux.org |