A number of servers belonging to kernel.org were compromised last month in an attack that may have started with a stolen user credential.
According to a statement on kernel.org, which hosts the source code for the Linux kernel, the attack is not believed to have affected the source code repositories. While the situation remains under investigation, it is believed the attackers gained access to a server known as ‘Hera.’
“We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated,” according to kernel.org.
The attackers then modified SSH files that were running live, logged user interactions and added a Trojan startup file to the system start up scripts, the statement explains.
The attack was discovered Aug. 28 when an Xnest error message was found in the system logs on a server that did not have Xnest installed. Officials with the site have responded by taking the affected systems offline and doing backups and reinstalls, and have also notified authorities in the United States and Europe.
In an email to users, chief site administrator John 'Warthog9' Hawley stated that the break-in is believed to have occurred no later than Aug. 12, and that the Trojan infected a developer’s personal colocated machine as well as other systems.
“Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this,” he wrote.
The statement on kernel.org sought to assuage fears about the attack, noting that “the potential damage of cracking kernel.org is far less than typical software repositories.” “That's because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds,” according to the statement. “For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version.”
“Once it is published, it is not possible to change the old versions without it being noticed,” the statement continues. “Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.”
The site is working with the 448 users of kernel.org to change their credentials and change their SSH keys.