Debian developers locked out after server hack

Open source project has fallen victim to a malicious attack, with weak passwords taking the blame

The Debian GNU/Linux project has locked a number of its developers out of their system accounts following a security scare in which the hack of a key internal server was discovered this week.

The lockout took place due to the fact a compromised developer account was used to take control of the server, according to an email sent to the community by Debian developer Martin Schulze.

"At least one developer account has been compromised a while ago and has been used by an attacker to gain access to the Debian server," Schulze wrote.

The developer said the attacker then used a recently discovered vulnerability in the Linux kernel to gain root — or admin — access on the server.

"An investigation of developer passwords revealed a number of weak passwords whose accounts have been locked in response," Schulze wrote.

While the compromised server — dubbed "gluck" — has had its software reinstalled and is now back online with all services intact, other parts of Debian's infrastructure remain closed off from casual access.

"Other Debian servers have been locked down for further investigation whether they were compromised as well," wrote Schulze. "They will be upgraded to a corrected kernel before they will be unlocked".

Schulze said the particular Linux vulnerability only exists in kernel versions:

  • 2.6.13 up to versions before
  • 2.6.16 up to versions before

Schulze advised admins to upgrade their software if they were using these versions but said the current stable version of Debian was not affected as it run kernel 2.6.8.

Wider damage to Debian's infrastructure may have been avoided. "Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," wrote Schulze.

"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."

The embarrassing security breach is not the first for Debian. In November 2003 several of Debian's servers were similarly compromised and pulled offline.