The Kernel.org website – home to the Linux project and the primary repository for the Linux kernel source code – sports a warning notifying its users of a security breach that resulted in the compromise of several servers in its infrastructure.
The discovery was made on August 28th, but according to the current results of the investigation mounted by the site’s team, the break-in seems to date back to August 12 or even earlier.
The attackers are thought to have gained root access on a server via a compromised user credential, and to have escalated their privileges from there. How did they managed to do that, it is still unknown.
After having done that, they proceeded to modify files belonging to ssh (openssh, openssh-server and openssh-clients) and add a Trojan to the system start up scripts so that it would run every time the machine was rebooted.
Luckily for everyone, the Linux kernel source code is unlikely to have been tampered with.
“That’s because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds,” it is explained. “For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed.”
“Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.”
The 448 users of the site have been notified of the breach and have been advised to change their login credentials and SSH keys.
According to the notice, US and Europe authorities have been notified about the breach and asked to help with the investigation. The administrators have, in the meantime, proceeded to take the servers offline and reinstall them, and to make a thorough analysis of the code within Git (the distributed revision control system) in order to make absolutely sure that nothing was modified.