Kernel.org Linux Site Compromised

Attackers have compromised a number of servers at kernel.org that house the Linux kernel source code and were able to modify a number of files and log user activity on the machines. However, it appears right now as though the Linux source code repositories were not affected by the attack.

LinuxAttackers have compromised a number of servers at kernel.org that house the Linux kernel source code and were able to modify a number of files and log user activity on the machines. However, it appears right now as though the Linux source code repositories were not affected by the attack.

A message on the kernel.org site, which is maintained by the Linux Kernel Organization, said that the attack happened some time in August and that site officials discovered it on Sunday. The attackers were able to get access to the SSH files on one of the servers and modify them. An email that appears to come from an administrator at kernel.org was posted on Pastebin Wednesday and says that the attackers used a Trojan in part of the attack sequence.

“Earlier today discovered a trojan existing on HPA’s personal colo machine, as well as hera.  Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this,” the email says.

The email says that the attack apparently happened on Aug. 12 and the Trojan was discovered on Aug. 29.

“Intruders gained root access on the server Hera. We believe
they may have gained this access via a compromised user
credential; how they managed to exploit that to root access
is currently unknown and is being investigated,” the message on kernel.org says.

The attackers also were able to insert a Trojan startup file into the startup scripts on one of the servers so that it would run whenever the machine was started. Kernel.org officials took the compromised servers offline and are creating backups and doing reinstalls, as well as doing an investigation into the attack to see exactly what happened.

“However, it’s also useful to note that the potential damage of
cracking kernel.org is far less than typical software repositories.
That’s because kernel development takes place using the git
distributed revision control system, designed by
Linus Torvalds. For each of the nearly 40,000 files in the Linux
kernel, a cryptographically secure SHA-1 hash is calculated to
uniquely define the exact contents of that file. Git is designed so
that the name of each version of the kernel depends upon the complete
development history leading up to that version. Once it is published,
it is not possible to change the old versions without it being
noticed,” the security notice says.

“Those files and the corresponding hashes exist not just on the
kernel.org machine and its mirrors, but on the hard drives of each
several thousand kernel developers, distribution maintainers, and
other users of kernel.org. Any tampering with any file in the
kernel.org repository would immediately be noticed by each developer
as they updated their personal repository, which most do daily.”

One kernel developer, Jonathan Corbet, wrote in an article on Linux.com that while the attackers were able to compromise the kernel.org security, that does not mean that they were able to modify the Linux kernel code. There are thousands of copies of the kernel source code housed on developer machines around the world and if one is corrupted or modified unexpectedly, the git system that’s used to maintain the code would notice a problem.

“Kernel.org may seem like the place where kernel development is done, but
it’s not; it’s really just a distribution point. The integrity of that
distribution point is protected by the combination of clever software
and thousands of copies of the repository distributed around the world.
So when we say that we know the kernel source has not been compromised
on kernel.org, we really know it,” Corbet wrote.

There have been a number of other attacks against open-source projects in the last few years, including a compromise of a server at the Apache Software Foundation in 2009 that resulted in attackers being able to upload their own files to production Web servers. There also was an attack on the Savannah GNU free software archive last year in which the attackers gained access to restricted project materials.

Suggested articles