The attack that compromised some high-value servers belonging to kernel.org–but not the Linux kernel source code–may have been the work of hackers who simply got lucky and didn’t realize the value of the servers that they had gotten their hands on. The attack, in short, could have been far worse.
Researchers who have talked with the kernel.org staff about some of the details of the attack said that none of it sounds as if the attackers necessarily knew what they had stumbled upon or what damage they could have potentially caused. The attackers made a couple of mistakes that enabled the administrators at kernel.org to discover the breach and stop it before any major damage occurred. First, they used a known Linux rootkit called Phalanx that the admins were able to detect. And second, the attackers set up SSH backdoors on the compromised servers, which the admins also discovered.
Had the hackers been specifically targeting the kernel.org servers, the attack probably would’ve looked quite different.
“It really does seem that the attackers didn’t know what boxes they were on. It’s the same kind of techniques that you’d use on any random Linux boxes,” said Jon Oberheide, a security researcher and co-founder of Duo Security. “That often happens in an automated or semi-automated way. They compromised some credentials, got onto one box, moved to another one and so on. It’s likely that they got onto one machine, had some credentials that they could use on another box and kind of went from there.”
The attack on kernel.org, which is the main distribution point for the Linux kernel source code, was discovered on Aug. 29 by administrators who noticed some odd error messages and began investigating. What they eventually found was that sometime in mid-August–likely around Aug.12–an attacker got access to one of the kernel.org servers and inserted a Trojan startup script. They also loaded the Phalanx rootkit and remote SSH backdoors.
If the attackers had known they were going after the Linux kernel source code to begin with, Oberheide said, some of those tactics wouldn’t have made any sense.
“That off-the-shelf rootkit is how the admins noticed the attack. They saw these weird error messages. If it was tailored, they wouldn’t have seen any log messages,” he said. “If you were really trying to backdoor the Linux source code, you wouldn’t bother with SSH backdoors. You’ve already reached your goal.”
Kernel.org staffers said in a message detailing the attack that they don’t believe any of the Linux kernel source code was accessed or modified.
