[Devil-linux-announce] [Fwd: Re: false accusations]

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thank you for your feedback Victor.

I would appreciate if you could respond to your post on full-disclosure
and confirm that there was no problem with Devil-Linux. We need to limit
the damage this post has already caused.

I forwarded your email to our mailinglist, since non-subscriber emails get
deleted.

Thanks
Heiko

---------------------------- Original Message ----------------------------
Subject: Re: false accusations
From:    "Victor Grishchenko" <gr...@pl...>
Date:    Fri, October 20, 2006 04:57
To:      "Heiko Zuerker" <he...@zu...>
Cc:      dev...@li...
         dev...@li...
         dev...@li...
--------------------------------------------------------------------------

Hi Heiko.

On 19.10.2006, at 23:02, Heiko Zuerker wrote:
> I am the project leader of Devil-Linux.
> First of all our website is up and was not down at any time.

It was a coincidence; our proxy cached zero-sized reply for some
unknown reason.

> I don't know how this bot got on your system, but what you're
> writing does
> not make any sense.
> 1. There's no bot included in the DL sources

Yes, sorry. We had an intrusion.

> 2. I can never have been compiled on a running DL system, because
> there
> are no compilers included.

Indeed. The intruder downloaded a tar both with binaries and sources.
We mistakenly decided that he compiled it right on the site.

> 3. It can only have been introduced (compiled from source as you
> say) if
> the machine you compiled DL on, was compromised.

Unlikely. The intruder's bash_history from the DL host is attached.

> 4. The location you specify (/shm) is a ramdisk. So it must be
> copied onto
> the system after it boots up. This can only be the case if you have
> the
> system wide open and somebody can log in easily.

Yes. Most probably he logged in using public key login from another
intranet host. We found a DMZ host which is the most probable initial
point of the intrusion. Also, we've "seized" a ton of haxor tools.
The intrusion chain was non-obvious, so we mistakenly suspected DL.
The mail was sent to full-disclosure mostly because the DL site
appeared "down".

There are no problems with DevilLinux distro.

My excuses!

						Victor

-- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org