Server compromise delays GNOME 2.6

Citing evidence that intruders gained access to its Web server, the GNOME Project said on Wednesday that it has launched a cleanup effort that will delay the next version of the open-source desktop by a week.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

As CNET News.com reported, system administrators for the GNOME (GNU Network Object Model Environment) Project found evidence on Tuesday that indicated that the project's Web server had been compromised. As a result of the breach, the team responsible for releasing GNOME 2.6 has decided to delay the update until March 31, Jeff Waugh, a project member, stated in a Wednesday announcement to developers.

"While we have determined that none of our released sources were affected, we are showing due caution by giving the (system administrator) team plenty of time to finish their investigation and restore critical services," he stated. "Apologies for the delay, especially for all our friends around the world who have organized GNOME 2.6 release parties!"

GNOME 2.6 brings incremental improvements to the graphical user interface, through which many Linux desktop users see the open-source operating system. For example, Nautilus, the file browser, is faster and more extensible, the GNOME project maintains. Various flavors of Linux, including Red Hat, Novell's SuSE and Mandrake, use the GNOME desktop system. Each can also be configured to use the major alternative, KDE, or several others.

The breach, while apparently minor, is the latest attack on open-source development servers in the last year.

In November, the servers for two Linux projects--Debian and Gentoo--were compromised. Earlier the same month, an attacker managed to gain access to a server that mirrored the latest version of the code for the Linux kernel. And in March and December, separate attacks on servers hosting software under development by the GNU Project, the source of much of the free software used by Linux, successfully breached those systems.

On Tuesday, the GNOME Web site had been shut down by the system administrator team. And although the site and several other services, such as file-downloading capabilities, were again available Wednesday, the site is currently down.

"Clumsy" intruder
"No additional damage has been discovered," Owen Taylor, a member of the GNOME system administration team, stated in an e-mail to the project mailing list. "At the current time, we are cautiously hopeful that the compromise was limited in scope."

="" width="1" height="10" border="0">
		="" width="1" height="8" border="0"> Get Up to Speed on... Open source Get the latest headlines and company-specific news in our expanded GUTS section.
="" width="1" height="10" border="0">

GNOME Project members first noticed the attack at 1 a.m. PST on March 23, when a bug database server, known as Widget, started to act strangely, said Callum McKenzie, a GNOME developer who investigated part of the attack. Programmers originally thought that the strange behavior was due to an update to the bug database software but soon noticed that several strange programs seemed to be running on the system.

"The time between the intrusion...and discovery (was) probably less than two hours," McKenzie said. "It appears that the intruder was very clumsy."

Upon investigation, the system administration team found a collection of intrusion tools, commonly referred to as a "root kit," in a folder reserved for temporary storage. At least one programmer believed that the server had been compromised through a vulnerability in a data synchronization program called Rsync. The same flaw had been used to compromise a file server the Gentoo Linux Project used last December.

"The potentially serious problem is if Widget (the bug-database server) has been used to interfere with the GNOME 2.6 release," McKenzie said.

McKenzie stressed that the GNOME Project is being careful that no illicit changes have been made. "It looks like (the intruders) were doing some sort of DOS (denial of service) attack from Widget rather than trying to disrupt the GNOME Project," he said. "We still have to check, though."