Re: debian unofficial website hacked

Wed, 21 Feb 2018 11:34:54 -0800

I found out, those firmware images aren't seeded for very long at all so effectively go away quickly. I was mistaken thinking since the file name was on that site it would have torrent support until either removed or replaced. 

On Fri, 9 Feb 2018, john doe wrote:


Date: Fri, 9 Feb 2018 01:35:58
From: john doe <johndoe65...@mail.com>
To: debian-accessibility@lists.debian.org
Subject: Re: debian unofficial website hacked
Resent-Date: Fri,  9 Feb 2018 06:36:14 +0000 (UTC)
Resent-From: debian-accessibility@lists.debian.org

On 2/8/2018 9:06 PM, Jude DaShiell wrote:
https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/ 

Please try the following:
Eatch line that starts with a dollar sign ($) is a command and should be entered as written. 


$ mkdir alfa2
$ cd alfa2
$ wget https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS.sign https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS 

Output of the above command:
--...-- https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS.sign Resolving cdimage.debian.org (cdimage.debian.org)... 194.71.11.165, 194.71.11.173, 2001:6b0:19::173, ... Connecting to cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443... connected. 
HTTP request sent, awaiting response... 200 OK
Length: 833
Saving to: ???SHA512SUMS.sign???
SHA512SUMS.sign 100%[======================================================================================================>] 
    833  --.-KB/s    in 0s

... (11.4 MB/s) - ???SHA512SUMS.sign??? saved [833/833]
--...-- https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/buster_di_alpha2/amd64/bt-dvd/SHA512SUMS 
Reusing existing connection to cdimage.debian.org:443.
HTTP request sent, awaiting response... 200 OK
Length: 172
Saving to: ???SHA512SUMS???
SHA512SUMS 100%[======================================================================================================>] 
    172  --.-KB/s    in 0s

... (208 MB/s) - ???SHA512SUMS??? saved [172/172]

FINISHED --...--
Total wall clock time: 0.5s
Downloaded: 2 files, 1005 in 0s (13.6 MB/s)

$ gpg --delete-keys debian

Output of the above command:
pub 4096R/0xDA87E80D6294BE9B 2011-01-05 Debian CD signing key <debian...@lists.debian.org> 

Delete this key from the keyring? (y/N) y

Comment: Press 'y' for eatch keys that are to be deleted.

$ gpg --recv-key 0xDA87E80D6294BE9B

Output of the above command:
gpg: requesting key 0xDA87E80D6294BE9B from hkps server hkps.pool.sks-keyservers.net gpg: key 0xDA87E80D6294BE9B: public key "Debian CD signing key <debian...@lists.debian.org>" imported 
gpg:  2 marginal(s) needed, 2 complete(s) needed, PGP trust model
gpg: depth:  0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth:  1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg:  Total number processed: 1
gpg:                imported: 1  (RSA: 1)

$ gpg --verify SHA512SUMS.sign SHA512SUMS

Output of the above command:

gpg:  Signature made Wed, Dec 06, 2017  3:02:18 AM CET
gpg:                 using RSA key 0xDA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" 
gpg:  WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. 
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
If it does not work please post the commands used and the output of those commands. 

Note that my mailer might fold this e-mail.


 On Thu, 8 Feb 2018, john doe wrote:


 Date: Thu, 8 Feb 2018 14:03:40
 From: john doe <johndoe65...@mail.com>
 To: debian-accessibility@lists.debian.org
 Subject: Re: debian unofficial website hacked
 Resent-Date: Thu,? 8 Feb 2018 19:03:53 +0000 (UTC)
 Resent-From: debian-accessibility@lists.debian.org

 On 2/8/2018 7:54 PM, Jude DaShiell wrote:

 ?Yes, I imported the debian signing key and I have MD5SUMS and
 MD5SUMS.sign
 ?sha256SUMS SHA256SUMS.sign SHA512SUMS and SHA512SUMS.sign SHA1SUMS
 ?SHA1SUMS.sign.



 From which URL did you get the? files?


 ?On Thu, 8 Feb 2018, john doe wrote:


 ?Date: Thu, 8 Feb 2018 07:12:27
 ?From: john doe <johndoe65...@mail.com>
 ?To: debian-accessibility@lists.debian.org
 ?Subject: Re: debian unofficial website hacked
 ?Resent-Date: Thu,? 8 Feb 2018 12:12:39 +0000 (UTC)
 ?Resent-From: debian-accessibility@lists.debian.org

 ?On 2/8/2018 12:34 PM, Jude DaShiell wrote:

 ??running gpg --verify *.sign on all sign files found where
 debian-buster
 ?is
 ??downloaded returns bad key and [unknown] on those files.? I think
 the
 ??website has got dirty.



 ?- Did you import the Debian signing key?
 ?- Which files did you verify (URL used, you should only use
 debian.org)?
 ?- What commands did you use and what are the output of those commands?
















--

Reply via email to