Archive of CERT general posting, CERT Advisory CA-2003-21 GNU Project FTP Server Compromise

14/08/03, CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
From: CERT Advisory <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise
From: CERT Advisory <>
Date: Wed, 13 Aug 2003 17:48:05 -0400
List-archive: <>
List-help: <>, <>
List-owner: <>
List-post: NO (posting not allowed on this list)
List-subscribe: <>
List-unsubscribe: <>
Organization: CERT(R) Coordination Center - +1 412-268-7090


CERT Advisory CA-2003-21 GNU Project FTP Server Compromise

   Original issue date: August 13, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.


   The  CERT/CC has received a report that the system housing the primary
   FTP servers for the GNU software project was compromised.

I. Description

   The GNU Project, principally sponsored by the Free Software Foundation
   (FSF),  produces  a  variety of freely available software. The CERT/CC
   has  learned  that  the system housing the primary FTP servers for the
   GNU  software  project,,  was  root  compromised by an
   intruder.  The more common host names of and
   are  aliases  for  the  same  compromised  system.  The  compromise is
   reported to have occurred in March of 2003.

   The FSF has released an announcement describing the incident.

   Because  this  system  serves  as  a  centralized  archive  of popular
   software,  the  insertion  of  malicious  code  into  the  distributed
   software  is  a  serious  threat. As the above announcement indicates,
   however,  no  source  code  distributions  are  believed  to have been
   maliciously modified at this time.

II. Impact

   The  potential  exists  for  an  intruder to have inserted back doors,
   Trojan   horses,   or  other  malicious  code  into  the  source  code
   distributions of software housed on the compromised system.

III. Solution

   We   encourage   sites  using  the  GNU  software  obtained  from  the
   compromised system to verify the integrity of their distribution.

   Sites  that  mirror  the  source  code  are  encouraged  to verify the
   integrity of their sources. We also encourage users to inspect any and
   all  other software that may have been downloaded from the compromised
   site.  Note that it is not always sufficient to rely on the timestamps
   or  file  sizes  when trying to determine whether or not a copy of the
   file has been modified.

Verifying checksums

   The  FSF has produced PGP-signed lists of known-good MD5 hashes of the
   software packages housed on the compromised server. These lists can be
   found at

   Note that both of these files and the announcement above are signed by
   Bradley  Kuhn,  Executive  Director of the FSF, with the following PGP

pub  1024D/DB41B387 1999-12-09 Bradley M. Kuhn <>
     Key fingerprint = 4F40 645E 46BE 0131 48F9  92F6 E775 E324 DB41 B387
uid                            Bradley M. Kuhn (bkuhn99) <>
uid                            Bradley M. Kuhn <>
sub  2048g/75CA9CB3 1999-12-09

   The CERT/CC believes this key to be valid.

   As a matter of good security practice, the CERT/CC encourages users to
   verify,  whenever  possible, the integrity of downloaded software. For
   more information, see IN-2001-06.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their

Free Software Foundation

   The current files on and as of 2003-08-02 have
   all been verified, and their md5sums and the reasons we believe the
   md5sums can be trusted are in:

   We are updating that file and the site as we confirm good md5sums of
   additional files.  It is theoretically possible that downloads between
   March 2003 and July 2003 might have been source-compromised, so we
   encourage everyone to re-download sources and compare with the current
   copies for files on the site.

Appendix B. References

     * FSF      announcement      regarding      the      incident      -
     * CERT Incident Note IN-2001-06 -

   The  CERT/CC  thanks Bradley Kuhn and Brett Smith of the Free Software
   Foundation for their timely assistance in this matter.

   Feedback can be directed to the author: Chad Dougherty.

   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
August 13, 2003: Initial release

Version: PGP 6.5.8


Previous message sorted by date: CERT Advisory CA-2003-20 W32/Blaster worm
Next message sorted by date: CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer
Previous message sorted by thread: CERT Advisory CA-2003-20 W32/Blaster worm
Next message by thread: CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2004