Attackers have compromised several key servers at kernel.org, which houses the source code for the Linux kernel. The likelihood of attackers modifying the actual source code is very low since the code is distributed across thousands of developer machines, according to developers who help maintain the code.
Attackers modified a number of files and logged user activity on the compromised servers, according to a message posted on the kernel.org Website Aug. 31. The attackers were able to modify the OpenSSH client and server software installed on the compromised server. However, the attackers did not change the actual OpenSSH source code.
The attack happened “sometime” in August and was discovered Aug. 28 by Linux Kernel Organization officials, according to the security notice on the site. The attackers used a Trojan to compromise the servers on Aug. 12, according to an email from John “‘Warthog9” Hawley, the chief administrator of kernel.org. That email was sent to developers and posted on the text-sharing Website Pastebin.
“Earlier today discovered a trojan existing on HPA’s personal colo machine, as well as hera,” the email said. HPA refers to kernel developer H. Peter Anvin. Other kernel.org boxes were discovered to have been hit by the same Trojan. The Trojan startup file was inserted into the startup scripts on the compromised server so that it would execute whenever the machine was started.
Site administrators have taken the compromised servers offline and are creating backups as well as reinstalling the systems, according to the message on the site. The investigation is still ongoing.
Intruders apparently gained root access on one of the servers using a compromised user credential, the email said. It’s not yet known how the attackers exploited the credentials to become root, according to the security notice.
While the intruders were able to compromise kernel.org servers, that doesn’t translate to modifying the actual kernel code, Jonathan Corbet, a kernel developer, wrote on Linux.com. There are thousands of copies of the kernel source code housed on developer machines around the world, and if someone tries to check in corrupted or modified code, the changes would be flagged by a distributed revision control system called “git,” Corbet said.
Git calculates a cryptographically secure SHA-1 hash for each of the nearly 40,000 files that make up the Linux kernel. The name of each version of the kernel depends on the complete development history leading up to that version, and once it is published, it’s not possible to change the old versions without someone noticing. Any changes to the source code would be noticed by anyone updating their personal copy of the code, according to the site’s security notification.
Kernel.org is “just a distribution point” and no actual development happens on the server, according to Corbet. “When we say that we know the kernel source has not been compromised on kernel.org, we really know it,” Corbet wrote.
The Trojan appeared to be a self-injecting rootkit, known as Phalanx, Jon Oberheide, one of the Linux security researchers briefed by Linux Kernel Organization about the breach, told The Register. Phalanx variants have attacked sensitive Linux systems before by stealing Secure Shell (SSH) keys to access servers and exploiting kernel vulnerabilities.
Attackers are not likely to use an “off-the-shelf” rootkit like Phalanx in a sophisticated attack, according to Oberheide. “Normally, if you were to target a high-value target, you would potentially use something that’s more tailored to your specific target, something that’s not going to be flagged or potentially detected,” Oberheide told The Register. It was not likely the attackers were after the source code, or they would have performed the attack differently, he said.
This kind of compromise has happened before, for example, the attack in January, which compromised servers used by the Fedora project, the community version of Red Hat Enterprise Linux. Around the same time, SourceForge was also broken into, and there have been various attacks on Apache Websites.