I'm not really sure what's going on yet...
This morning at about 8am, I got a cvs update message from my CVS server. One of my anonymous CVS users (specifically cvs-axkit, which I don't think I advertise) added a passwd file to the CVSROOT project on the axkit.org CVS server. My stupid fault for not making the anonymous users just "readers". But I'm not really sure what the purpose was.
Is there some hack there I don't know about? Is my server compromised? The annoying thing is that CVS doesn't seem to keep any IP address information, so I have no idea who was connecting at that time. Can't find anything in my logs about it whatsoever.
I simply can't afford a complete re-install at this time. That would be my idea of a nightmare...
So for now I've disabled xinetd (which was running pserver), until I figure out more :-(
For example:
# access CVS as root with alternative password
root:HACKER'S_CRYPTED_PASSWORD
# alias some CVS login name to root UID
hacker:HACKER'S_CRYPTED_PASSWORD:root
Have you checked if commitinfo/loginfo/etc files are not modified. They can be used to run arbitrary code.
You may want to check if you don't have any rootkits on your computer. Try www.chkrootkit.org.
Re:Some quick ideas
Matts on 2002-05-18T18:26:07
Here's the log entry in it's entirety:Checking for rootkits now.Date: Saturday May 18, 2002 @ 8:10
Author: cvs-axkit
Update of/home/cvs/CVSROOT
In directory ted:/tmp/cvs-serv32715
Modified Files:
passwd
Log Message:
hmm, try that again
Index: passwd
===================================================================
RCS file:/home/cvs/CVSROOT/passwd,v
retrieving revision 1.1
retrieving revision 1.2
diff -b -u -r1.1 -r1.2
--- passwd 2002/05/18 07:06:38 1.1
+++ passwd 2002/05/18 07:10:04 1.2
@@ -1 +1 @@
-anoncvs:$1$Iwe7W4bv$mREI4jyErj0HJ9rc5v.cx1
+anoncvs:tcZodyFvFXejw
Re:say
Matts on 2002-05-18T19:21:58
Wouldn't you know I did an apt-get update yesterday evening, making that next to useless. However a check of files modified more recently than something I know I modified yesterday evening before going to bed didn't reveal anything scary.
Neither did chkrootkit.
I hate this sort of thing. It feels like such a waste of my day - especially when it's targetted at open source resources like my server. The jollies of the few ruin it for the rest of us.
Re:apache.org or perl.org
Matts on 2002-05-18T22:01:56
Well I host AxKit on apache.org. However that still leaves approx 60 projects in my CVS server... I suppose I could bump every single damn one onto sourceforge, but really, do I want to do that? Some of course are private projects (but then if they were just private projects I wouldn't need anoncvs I guess) which I couldn't host anywhere but here.
I'm way into using CVSROOT=:ext:user@host:/path/to/repos CVS_RSH=ssh. It's easier to set up than pserver, and probably more secure. I'm pretty sure you could set up an account with no login shell and only read-only access to the repository files and make it work. (But I've never tried it, so YMWV.)
I hope no damage was done. Maybe the guy didn't know what he was doing and just did all that accidentally (hence the log message)? (Or was just trying something out to see if it would work, as opposed to trying to crack into your box.)
Re:Can you drop pserver?
Matts on 2002-05-19T07:53:46
I'm considering dropping pserver. I allow it only for anonymous access right now, because people like to follow my projects, and I also prefer people to submit patches against current CVS.
But if it's going to be a security risk then I'll just kill that.
