"Paul Frields's Update and Report on Fedora August 2008
Intrusion on the fedora-announce-list reads like a detective novel.
It all started on August 12, 2008, when a cron job on a Fedora host
reported an error. While reviewing the logs, Fedora admins found a
change in the package complement that no one could explain. On
short notice, the changes turned out to be tampering by an
intruder. The project notified the community of the break-in and
promptly pulled the server off the net.
"It's now become clear how the rogue entered the server
structure: he used no hacker tools, but simply authenticated
himself using a copy of an SSH private key that was not
passphrase-protected. The key belonged to a Fedora admin and in the
log entries it showed that the intruder also cracked or knew the
admin's password. How the intruder got to the SSH private key,
however, nobody knows."