MULTIPLE SERVERS that are part of the Linux kernel.org infrastructure were affected during a recent intrusion where attackers managed to gain root access and plant Trojan scripts.
According to an email sent out to the community by kernel.org chief administrator John Hawley, known as warthog9, the incident started with the compromise of a server referred to as Hera. The personal colocated machine of Linux developer H Peter Anvin (HPA) and additional kernel.org systems were also affected.
"Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this," Hawley wrote.
The intrusion was discovered on 28 August and according to preliminary findings attackers gained access by using a set of compromised credentials. They then elevated their privileges to root by exploiting a zero-day vulnerability that the kernel.org administrators have yet to identify.
Fortunately, logs and parts of the exploit code were retained and will help the investigation. A Trojan was added to the startup scripts of affected systems, but gave itself away through Xnest /dev/mem error messages.
According to the kernel.org admins, these error messages have been seen on other systems as well, but it's not clear if those machines are vulnerable or compromised. "If developers see this, and you don't have Xnest installed, please investigate," the administrators advised.
The good news is that the exploit failed on systems running the latest Linux kernel version, 3.1-rc2, which was released two weeks ago. This is possibly the fortunate consequence of one of the bugfixes it contains.
All of the affected boxes were taken offline following the incident and will be reinstalled. The official Linux kernel source code is also being analysed for unauthorised changes, however, these should be very easy to spot thanks to the security measures built into the git repository.
Furthermore, over four hundred kernel.org users will be forced to change their credentials and SSH keys as a precaution. The project's security policies will also be reviewed and improved.
This is not the first time that a major open source project has had to deal with such an intrusion.
Last December, Savannah, the collaborative development platform maintained by the Free Software Foundation was taken offline after hackers managed to break in through an SQL injection vulnerability. And in September 2009 the infrastructure team of the Apache Software Foundation took several mirrors offline after the main staging server was compromised using a stolen SSH key. µ
Firm's first high-end speaker gets the thumbs up from us
Yes. Yes you can
A fantastic ultraportable that's almost devoid of innovation
Screen if you want to go faster