News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Kernel.org hacked, but Linux kernel safe thanks to git

Sep 1, 2011 — by LinuxDevices Staff — from the LinuxDevices Archive — 9 views

Attackers compromised several servers at kernel.org using an off-the-shelf Trojan that appears to have entered via a compromised user credential. However, the source code for the Linux kernel does not appear to have been altered, thanks to its “git” distributed revision control system, say kernel maintainers.

Attackers have compromised several key servers at kernel.org, which houses the source code for the Linux kernel. The likelihood of attackers modifying the actual source code is very low, since the code is distributed across thousands of computers, according to developers who help maintain the code.

Attackers modified a number of files and logged user activity on the compromised servers, according to a message posted on the kernel.org website Aug. 31. The attackers were able to modify the OpenSSH client and server software installed on the compromised server. However, the attackers did not change the actual OpenSSH source code.

The attack happened "some time" in August and was discovered by Linux Kernel Organization officials on Aug. 28, according to the security notice on the site. The attackers used a Trojan to compromise the servers on Aug. 12, according to an email from John "'Warthog9" Hawley, the chief administrator of kernel.org. That email was sent to developers and posted on the text-sharing website Pastebin.

"Earlier today discovered a trojan existing on HPA's personal colo machine, as well as hera," the email said. HPA refers to kernel developer H Peter Anvin.

Other kernel.org boxes were discovered to have been hit by the same Trojan. The Trojan startup file was inserted into the startup scripts on the compromised server so that it would execute whenever the machine was started.

Site administrators have taken the compromised servers offline and are creating backups as well as reinstalling the systems, according to the message on the site. The investigation is ongoing.

Intruders apparently gained root access on one of the servers using a compromised user credential, the email said. It's not yet known how the attackers exploited the credentials to become root, according to the security notice.

A not so stupid git

While the intruders were able to compromise kernel.org servers, that doesn't translate to modifying the actual kernel code, Jonathan Corbet, a kernel developer, wrote on Linux.com.

There are thousands of copies of the kernel source code housed on developer machines around the world, and if someone tries to check in corrupted or modified code, the changes would be flagged by a distributed revision control system called git, according to Corbet.

Git calculates a cryptographically secure SHA-1 hash for each of the nearly 40,000 files that make up the Linux kernel. The name of each version of the kernel depends on the complete development history leading up to that version, and once it is published, it's not possible to change the old versions without someone noticing. Any changes to the source code would be noticed by anyone updating their personal copy of the code, according to the site's security notification.

Kernel.org is "just a distribution point" and no actual development happens on the server, according to Corbet. "When we say that we know the kernel source has not been compromised on kernel.org, we really know it," Corbet wrote.

Phalanx a prime suspect

The Trojan appeared to be a self-injecting rootkit known as Phalanx, Jon Oberheide, one of the Linux security researchers briefed by Linux Kernel Organization about the breach, told The Register.

Phalanx variants have attacked sensitive Linux systems before by stealing SSH keys to access servers and exploiting kernel vulnerabilities. Attackers are not likely to use an "off-the-shelf" rootkit like Phalanx in a sophisticated attack, according to Oberheide.

"Normally if you were to target a high-value target you would potentially use something that's more more tailored to your specific target, something that's not going to be flagged or potentially detected," said Oberheide. It was not likely the attackers were after the source code, or they would have performed the attack differently, he added.

This kind of compromise has happened before, as in the attack in January, which compromised servers used by the Fedora project, the community version of Red Hat Enterprise Linux. Around the same time SourceForge was also broken into, and there have been various attacks on Apache websites.

Fahmida Y. Rashid is a writer for eWEEK.


This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.