A compromised developer account was used to take control of the server, according to an e-mail sent Thursday to the community by Debian developer Martin Schulze. List members were told of the intrusion in an announcement the day before.
"At least one developer account has been compromised a while ago and has been used by an attacker to gain access to the Debian server," Schulze wrote.
The developer said the attacker then used a recently discovered vulnerability in the Linux kernel to gain root--or admin--access on the server.
"An investigation of developer passwords revealed a number of weak passwords whose accounts have been locked in response," Schulze wrote.
is a noncommercial version of Linux, though some companies, such as Canonical and Progeny, have based products on it.
While the compromised server, known as "gluck," has had its software reinstalled and is now back online with all services intact, other parts of Debian's infrastructure remain closed off from casual access.
"Other Debian servers have been locked down for further investigation (into) whether they were compromised as well," wrote Schulze. "They will be upgraded to a corrected kernel before they will be unlocked."
Flaw in the kernel
Schulze said the particular Linux vulnerability only exists in kernel versions:
2.6.13 up to versions before 126.96.36.199
2.6.16 up to versions before 188.8.131.52
Schulze advised administrators to upgrade their software if they were using these versions but said the current stable version of Debian was not affected, as it runs kernel 2.6.8.
Wider damage to Debian's infrastructure may have been avoided. "Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," Schulze wrote.
"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."
The security breach is not the first for the . In November 2003, several of Debian's servers were similarly compromised and pulled offline.
Renai LeMay of ZDNet Australia reported from Sydney.