An unknown cracker this week compromised several machines belonging to the Debian Project, including servers that house the projects bug-tracking system and security components. Officials from the project said they discovered the intrusion within the last 36 hours and are still working to restore all of the affected machines.
Debian is an open-source operating system that uses the Linux kernel and also includes a number of packages and tools from the GNU Project. The Debian Project is run by Software in the Public Interest Inc., a non-profit group that runs a number of similar projects.
The projects leaders intended to announce a new release of the operating system on Friday, but the attack scotched those plans. The group recently sent the new release, Version 3.02r2, to its mirrors for downloading. This version was checked for problems related to the attack and was found to be clean.
This is the second such attack against an open-source project in recent weeks. Last week reports surfaced that someone tried to insert a backdoor into the Linux kernel. The intrusion was caught thanks to a configuration management system that is used to store and log changes to the kernel.
But the folks running the Debian Project werent quite so lucky.
In a message posted to BugTraq Friday, Maetin Schulze, a member of the project responsible for helping with new releases, said that at least four servers were compromised in the attack. Among those servers are “master,” which houses the bugtracking system, “murphy,” where the mailing lists reside, “gluck,” home of the Web server and CVS (Concurrent Versions System), and “klecker,” which houses security, quality assurance and Web search.
The project members plan to verify the security archive by comparing it against trusted sources before putting it back online.