Hi,
RAA restarted.
Summary: On 7. Jun 2004, RAA restarted its service. We think the data RAA keeps is clean but we have a favor to ask RAA project owners; PLEASE CHECK YOUR RAA ENTRIES AND UPDATE IT FOR CONFIRMATION.
(1) Open your project page
(2) Check project information
(3) Go update page
(4) Press "submit" button even if you don't think any update needed
(it's for confirmation)
As we ruby-lang.org administrators group announced in [ruby-talk:101747][1], we detected penetration into helium.ruby-lang.org on 28. May 2004. Helium was the canonical name of raa.ruby-lang.org, which hosts whole RAA service. RAA has been down since 28. May 2004.
While the service stop, we did detailed investigation into possible interpolation of resources on the machine, but found nothing. From our investigation, only the possible exploit that intruder(s) could use is "CVS remote vulnerability" that came Coordinated Public Disclosure on 19. May 2004[2]. We ran our anonymous cvs service in chroot protected environment and it is estimated that intruder(s) failed to get local privilege escalation.
But we cannot prove that no interpolation have done even if we haven't found any evidence. So we reinstalled whole RAA software and did the following data verification.
* We made a daily diff of RAA data from 1) the clean RAA data copy
backed up in 27 Mar, 2) daily backups from 4 Apr to 28 May, and 3) the
latest RAA data of 28 May.
2) and 3) are located on chroot protected area on the machine.
1) is clean because it was kept in development environment.
* RAA data update:
http://raa.ruby-lang.org/announce/soapbox-diff-all-passphrasemask.txt
* RAA new entry:
http://raa.ruby-lang.org/announce/soapbox-new-passphrasemask.txt
* We confirmed that above whole diffs are not suspicious.
It can be concluded that the RAA data of 28 May (the same data we use for RAA service restart) does not include any suspicious information. And we decided to restart the RAA service as it was in 28 May. But we cannot offer assurances that normal-looking change by intruder never be included. For example, the change of sampleproject on 18. May is as follows;
== sampleproject
- updated: Sun May 09 12:35:19 GMT+9:00 2004
+ updated: Mon May 17 13:00:38 GMT+9:00 2004
- version: 0.0.8
+ version: 0.1.1
We don't see any suspicious sign about this but it's not impossible to
suspect it of an interpolation by intruder. So we have a favor to ask RAA project owners; PLEASE CHECK YOUR RAA ENTRIES AND UPDATE IT FOR CONFIRMATION.
(1) Open your project page
(2) Check project information
(3) Go update page
(4) Press "submit" button even if you don't think any update needed
(it's for confirmation)
Please contact raa-admin@ruby-lang.org if you find any suspicious data in RAA, or you have any question. Thank you for your cooperation.
Regards,
// NaHi, a member of raa-admin@ruby-lang.org
[1] http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/101747
[2] http://security.e-matters.de/advisories/072004.html