Rootkit installed in several Debian infrastructure servers

A sniffed password was used to log into a Debian server, then privileges were escalated and a rootkit installed in at least four different Debian machines.

Impact

  • Debian development slowed down as LDAP/SSH were disabled and secrets rotated
  • External checksum lists were used to verify that packages weren’t affected

Type of compromise

Publishing Infrastructure