Hackers compromised infrastructure servers belonging to Red Hat and the Fedora Project. This includes systems used to sign Fedora packages. Package is the term used to refer to a specific open source software.

Company officials said they had high confidence the hackers did not get the passphrase used to secure the Fedora package signing key. Passphrase is similar to what computer users commonly call as passwords.

The intruder was able to sign a small number of OpenSSH packages relating to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).

Red Hat has released an updated version of those packages, a list of tampered packages and a script to check if any of the packages are installed on a user’s or company’s system.

The script openssh-blacklist-1.0.sh can be downloaded from Red Hat’s website HERE

The GPG signature to verify its integrity can be downloaded from the Red Hat Security Response Team (key)

• openssh-blacklist-1.0.sh.asc

How to verify the scripts signature:   To use the GPG signature key to verify the integrity and authenticity of the scripts please follow the instructions below: Download the Red Hat Security Response Team public key: wget -c https://www.redhat.com/security/650d5882.txt Import the Red Hat Security Response Team public key: gpg –import 650d5882.txt Verify the script signature matches that of the Security Response Team: gpg –verify openssh-blacklist-1.0.sh.asc Successful verification is indicated as: gpg: Signature made Fri 22 Aug 2008 05:02:29 AM EDT using DSA key ID 650D5882 gpg: Good signature from “Red Hat, Inc. (Security Response Team) ” gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9273 2337 E5AD 3417 5265 64AB 5E54 8083 650D 5882

This script can be executed either as a non-root user or as root. To execute the script after downloading it and saving it to your system, run the command:

   bash ./openssh-blacklist-1.0.sh

If the script output includes any lines beginning with “ALERT” then a tampered package has been installed on the system. Otherwise, if no tampered packages were found, the script should produce only a single line of output beginning with the word “PASS”, as shown below:

   bash ./openssh-blacklist-1.0.sh
   PASS: no suspect packages were found on this system

The script can also check a set of packages by passing it a list of source or binary RPM filenames. In this mode, a “PASS” or “ALERT” line will be printed for each filename passed; for example:

   bash ./openssh-blacklist-1.0.sh openssh-4.3p2-16.el5.i386.rpm
   PASS: signature of package “openssh-4.3p2-16.el5.i386.rpm” not on blacklist