Kernel.org servers are hacked

Alejandro (a.k.a KZKG^Gaara)

2 minutes

Apparently an undetermined number of servers hosting kernel.org have been violated and security, it was seen engaged. This would have happened to early august, although only on the 28th the site administrators realized it.

What happened?

  • Intruders accessed the Hera server with administrator privileges. Kernel.org administrators suspect that this was possible after some user credentials were compromised; how they were able to take advantage of this to gain admin privileges is not yet known and is being investigated.
  • The files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and executed live.
  • A Trojan was added to the system startup applications (from kernel.org servers… No, not on your machine! Don't panic!).
  • All user interactions as well as some of the malicious code were tracked. For now, the administrators have saved this information.
  • The Toryan originally discovered by an Xnest / dev / mem error message without having Xnest installed has been seen on other systems as well. It is not yet clear whether the systems displaying this message are compromised or not.
  • Apparently the 3.1-rc2 kernel appears to have blocked the malicious code in some way. It is not yet known if this is intentional or a side effect of another change.

What is being done to control the damage done?

  • Several servers have been disconnected to make backups and reinstall the system again.
  • Authorities in the United States and Europe have been notified to assist in the investigation.
  • The system will be completely reinstalled on ALL kernel.org servers.
  • An analysis of the code uploaded to git, as well as the tarballs, will begin to confirm that nothing was modified.

Sleep peacefully my friends

Jonathan Corbet, from the Linux Foundation, has written a note talking about the event that, although serious, should not generate panic or mass hysteria since they have the necessary tools to return to normality and locate any unauthorized modification:

The episode is disturbing and embarrassing. But I can say that there is no need to worry about the integrity of the kernel source code or any other software hosted on kernel.org systems.

Therefore, we must be calm because, after detection, everything will return to normal. Of course, no one can take it away from the scare and, of course, it has been a blow to the project managers who will probably spend time improving the security of their systems.

Source: Kernel.org & Alt1040