It occurred to me the other day that I completely forgot to publicly mock the crackers who attacked the PuTTY website late last year. (Some of my readers will have heard this story already.)

One of the machines involved with the PuTTY website was broken into by crackers. (By the usual sort of means; a compromised user account – many passwords have now been changed – and a kernel bug allowing escalation to root privileges, which has of course been long since patched.) The sysadmin noticed very promptly, and immediately began extensive work to resecure the system and investigate the incident. In the course of this investigation, it turned out that the directory in which the crackers had hidden their rootkit also contained a file called putty.tgz, suggesting that the intrusion had a specific target and wasn't a random look-how-many-machines-I-can-break-into job.

My blood, needless to say, ran cold. If anyone managed a successful compromise of the PuTTY website, I shudder to think what the implications might be.

So I checked and double-checked all the files served from that machine, and by checking GPG signatures and comparing with clean copies elsewhere I assured myself that they hadn't been meddled with. The sysadmin, meanwhile, had found a way to boot the machine without depending on any files that were on the system at the time of the attack, so he was able to rigorously check the rest of the system and assure himself that it had been properly resecured. We were pretty convinced that the attackers had not in fact trojaned any of the PuTTY binaries, redirected any links, or defaced the website in any way.

So what were they up to?

When I had a look inside the putty.tgz file, I discovered that it was an exact copy of my ~/src/putty directory on the machine they'd broken into. It seemed odd that they would want this. That's not the machine I do my main development on, or even any development on; what they'd archived was a year-old copy of the sources which I had checked out for reasons I don't remember.

We were forced to the conclusion that the crackers' aim was to steal the source code to PuTTY. That was the only plausible explanation for the evidence we found.

I have never heard the sysadmin laugh as loudly as he did when we figured this out. Someone had broken into his computer apparently for the sole purpose of stealing the source code to an open-source program – and better still, had got an out-of-date copy of it for their pains. I absolutely love to imagine the perpetrators afterwards; they must have been lording it about on their cracker IRC channels for days. ‘D00D W33 R0X0R! We stole the source code to PuTTY! H0W K00L 1S TH4T?’ And then, hopefully after they'd boasted about it to lots of people so their humiliation would be maximised, someone must have finally said ‘Um, dude, I hate to point this out, but …’