Summary: On 7. Jun 2004, RAA restarted its service. We think the data RAA keeps is clean but we have a favor to ask RAA project owners; PLEASE CHECK YOUR RAA ENTRIES AND UPDATE IT FOR CONFIRMATION.
As we ruby-lang.org administrators group announced in [ruby-talk:101747], we detected penetration into helium.ruby-lang.org on 28. May 2004. Helium was the canonical name of raa.ruby-lang.org, which hosts whole RAA service. RAA has been down since 28. May 2004.
While the service stop, we did detailed investigation into possible interpolation of resources on the machine, but found nothing. From our investigation, only the possible exploit that intruder(s) could use is "CVS remote vulnerability" that came Coordinated Public Disclosure on 19. May 2004. We ran our anonymous cvs service in chroot protected environment and it is estimated that intruder(s) failed to get local privilege escalation.
But we cannot prove that no interpolation have done even if we haven't found any evidence. So we reinstalled whole RAA software and did the following data verification.
It can be concluded that the RAA data of 28 May (the same data we use for RAA service restart) does not include any suspicious information. And we decided to restart the RAA service as it was in 28 May. But we cannot offer assurances that normal-looking change by intruder never be included. For example, the change of sampleproject on 18. May is as follows;
== sampleproject - updated: Sun May 09 12:35:19 GMT+9:00 2004 + updated: Mon May 17 13:00:38 GMT+9:00 2004 - version: 0.0.8 + version: 0.1.1
We don't see any suspicious sign about this but it's not impossible to suspect it of an interpolation by intruder. So we have a favor to ask RAA project owners; PLEASE CHECK YOUR RAA ENTRIES AND UPDATE IT FOR CONFIRMATION.
Please contact firstname.lastname@example.org if you find any suspicious data in RAA, or you have any question. Thank you for your cooperation.