Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430322
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

Let's move on to productive discussion like what processes allowed it to enter the distribution, how it can be caught in the future, *how fast it was patched*, how/if any other distributions where affected. Sticking your head in the sand and saying "it's perfect, it's perfect, it's perfect" over and over doesn't make it so.


I still can't believe it, but there it is.

Mitigation of future occurrences is exceedingly simple: don't do this. Don't propagate unsigned binary packages. Period. Simple. Elementary. Totally do-able. Perfectly effective. Has, in fact, been the standard practice to avoid trojans for donkey's years. Gentoo, apparently, just didn't get the memo.

Removal from infected systems: Reformat "/" partition (leave /home partition as is). Re-install OS. 20 minutes or so downtime. While you are at it, you might also consider using another distribution that isn't quite so brain dead.

PS: it looks like someone in Arch Linux community fell for this trojan for a little while also:
http://bbs.archlinux.org/viewtopic.php?pid=774951
I should remember to check the website before trusting supposedly up to date mirrors I guess.


Very disappointing indeed. One should never trust an unsigned binary package.

Edited 2010-06-16 12:55 UTC

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

Very disappointing indeed. One should never trust an unsigned binary package.


FFMpeg has just released a new version that includes WebM.

http://www.h-online.com/open/news/item/FFmpeg-0-6-adds-WebM-VP8-sup...

So, as an independent open source project, as FFMpeg are, if you want to distribute packages to all & sundry, here is an example of how to do it:

http://www.ffmpeg.org/download.html
Note that these releases are intended for distributors and system integrators. ...
FFmpeg 0.6 "Works with HTML5"

0.6 appeared on 2010-06-15. The release branch was cut on 2010-05-04.

Download bzip2 tarball MD5 SHA1 PGP signature
Download gzip tarball MD5 SHA1 PGP signature


Checksums and PGP signatures. Elementary. This is the most basic, fundamental security principle to prevent trojans.

Edited 2010-06-16 14:03 UTC

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

Webmin also does a good job of maintaining there own Debian repository. I've also worked against a few repositories from trusted third parties in the past when going through the option list of network monitoring apps though in the end I returned to using Munin. A VMware repository would also be welcome if they could manage to fix VMware Server 2's issues on Debian Stable.

Reply Parent Score: 2