Attackers compromised several servers at kernel.org using an off-the-shelf Trojan. However, the source code for the Linux kernel does not appear to have been altered.
compromised several key servers at kernel.org, which houses the source code for
the Linux kernel. The likelihood of attackers modifying the actual source code
is very low since the code is distributed across thousands of developer
machines, according to developers who help maintain the code.
modified a number of files and logged user activity on the compromised servers,
according to a message posted on the kernel.org Website Aug. 31. The attackers
were able to modify the OpenSSH client and server software installed on the
compromised server. However, the attackers did not change the actual OpenSSH
happened "sometime" in August and was discovered Aug. 28 by Linux
Kernel Organization officials, according to the security notice on the site.
The attackers used a Trojan to compromise the servers on Aug. 12, according to
an email from John "'Warthog9" Hawley, the chief administrator of
kernel.org. That email was sent to developers and posted on the text-sharing
today discovered a trojan existing on HPA's personal colo machine, as well as
hera," the email said. HPA refers to kernel developer H. Peter
Anvin. Other kernel.org boxes were discovered to have been hit by the same
Trojan. The Trojan startup file was inserted into the startup scripts on the
compromised server so that it would execute whenever the machine was started.
administrators have taken the compromised servers offline and are creating
backups as well as reinstalling the systems, according to the message on the
site. The investigation is still ongoing.
apparently gained root access on one of the servers using a compromised user
credential, the email said. It's not yet known how the attackers exploited the
credentials to become root, according to the security notice.
intruders were able to compromise kernel.org servers, that doesn't translate to
modifying the actual kernel code, Jonathan Corbet, a kernel developer, wrote on
Linux.com. There are thousands of copies of the kernel source code housed on
developer machines around the world, and if someone tries to check in corrupted
or modified code, the changes would be flagged by a distributed revision
control system called "git," Corbet said.
a cryptographically secure SHA-1 hash for each of the nearly 40,000 files that
make up the Linux kernel. The name of each version of the kernel depends on the
complete development history leading up to that version, and once it is
published, it's not possible to change the old versions without someone
noticing. Any changes to the source code would be noticed by anyone updating
their personal copy of the code, according to the site's security notification.
"just a distribution point" and no actual development happens on the
server, according to Corbet. "When we say that we know the kernel source
has not been compromised on kernel.org, we really know it," Corbet wrote.
appeared to be a self-injecting rootkit, known as Phalanx, Jon Oberheide, one
of the Linux security researchers briefed by Linux Kernel Organization about
the breach, told The Register.
Phalanx variants have attacked sensitive Linux systems before by stealing Secure
Shell (SSH) keys to access servers and exploiting kernel vulnerabilities.
not likely to use an "off-the-shelf" rootkit like Phalanx in a
sophisticated attack, according to Oberheide. "Normally, if you were to
target a high-value target, you would potentially use something that's more tailored
to your specific target, something that's not going to be flagged or
potentially detected," Oberheide told The Register.
It was not likely the attackers were after the source code, or they would have
performed the attack differently, he said.
This kind of
compromise has happened before, for example, the attack in January, which
compromised servers used by the Fedora project, the community version of Red Hat
Enterprise Linux. Around the same time, SourceForge was also broken into, and
there have been various attacks on Apache Websites.