Free Software servers breached

A key server housing software used in Linux and other projects was open to an attacker for four months, creating fears that source code was compromised

The GNU Project, which develops many of the components in the Linux operating system, said this week that the system housing its primary download servers has been compromised by an attacker. The project urged those who have downloaded software from the server since March to check that the source code has not been tampered with.

Linux, an open-source operating system that dominates the Web server market, uses the compiler, libraries and other software that was originally developed by the GNU project. The project warned that the attacker may have inserted malicious code into its software, although it said all the code checked so far appeared to be intact.

In an alert issued on Wednesday, computer security response organisation CERT warned that the breach could prove to be a serious problem. "Because this system serves as a centralised archive of popular software, the insertion of malicious code into the distributed software is a serious threat," the warning stated.

The Free Software Foundation, the GNU project's overseer, has issued lists of hashes -- numbers generated by the source code of software known not to have been compromised -- which can be used to verify downloaded code. The lists can be found here and here.

The attacker compromised the project's servers to the root level, gaining complete control over the system, according to the GNU Project. The attack was carried out using an exploit that was revealed on 17 March, and for which a patch only became available a week later. During that week, the intruder compromised the system and installed a piece of malicious code known as a Trojan horse, according to evidence found on the machine.

The Trojan stayed in place until it was discovered in the last week of July, the project said. "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines," the project said in a statement on its Web site.

The group said it has spent the weeks since the compromise was discovered verifying the integrity of its software. "Most of this work is done, and the remaining work is primarily for files that were uploaded since early 2003, as our backups from that period could also theoretically be compromised," the statement said.

The project said it believes no source code was compromised. "The evidence includes the MO of the cracker, the fact that every file we've checked so far isn't compromised, and that searches for standard source Trojans turned up nothing," the group stated.