The Linux Foundation took down several of its sites, including Linux.com, after discovering suspicious activity on its servers that appear to be related to the Trojan that was found on kernel.org last week.
A week after uncovering malware on several key kernel.org
servers, the Linux Foundation has taken other key Websites, including
Linux.com, offline for a complete reinstall.
Linux.com, LinuxFoundation.org and all sub-domains
associated with these sites were taken offline after administrators discovered
"a security breach" on Sept. 8, according to an email sent to all
registered members of the sites on Sept. 11. The servers will be completely
reinstalled and will be back online "as they become available," Linux
This information was also posted on a holding page on all
the affected sites.
The username, password, email address and "other
information" provided by users registered with the sites may have been stolen,
according to the disclosure email. Any passwords or SSH keys used on those
sites should be considered compromised, and the foundation recommended that if
any of the passwords had been reused elsewhere, that users should change them
"We believe this breach was connected to the intrusion
on kernel.org," Linux Foundation said in the email.
Linux Organization officials discovered on Aug. 28 that
attackers had installed a Trojan and opened a backdoor into kernel.org
servers on Aug. 12. The attackers had logged user activity and modified the
OpenSSH client and server software installed on the compromised server, but had
not gained access to the Linux kernel source code or other applications. The
Trojan discovered on kernel.org was based on an "off-the-shelf"
rootkit called Phalanx.
The security breach is not just about information theft as
it involves a malware compromise, Paul Ducklin, head of technology for the Asia
Pacific group at Sophos, wrote on the Naked Security blog
. "If a server is
'owned' by malware, even the login process should be considered untrustworthy,"
Ducklin wrote, noting that malware could steal passwords directly from memory
at the time of the actual login by a user.
The pattern of activity by the intruders on kernel.org led
observers to speculate that the attackers did not really understand the
significance of the servers they'd breached and were unable to capitalize on
the attack. If the latest breaches are related to kernel.org and had occurred
around the same time, the attacks appear to be even more widespread than
These breaches have no impact on the Linux kernel or any
other projects' source codes as none of the compromised sites are related to
software development. The Linux Foundation is a not-for-profit organization which
funds Linux development so that the developers remain independent of any
particular vendor or commercial group. Linux.com is the news, information and
community site for people interested in the operating system and
LinuxFoundation.org provides information on the foundation's activities. The
sub-domains, such as the Linux Developer Network and the video site, are also
used for disseminating information.
The latest incident on Linux servers may actually make Linux
supporters take a serious look at Linux malware and security in general,
Ducklin said. It will also likely force people who continue to perceive the
operating system as a "hobby product" as being a legitimate product,
since "why else would kernel.org be in the sights of cyber-crooks?"
"Whilst Linux malware is not new, this is probably the
closest it has ever come to the heart of their beloved operating system,"