Git Saves Linux Code Base In Kernel Server Breach

The Linux Kernel site was given the bumps on its 20th birthday when hackers broke in to plant a Trojan

The Linux kernel site was hacked around the time the popular operating system celebrated its 20th anniversary on August 25. In a post on the site, the organisation admitted that “a number of servers in the kernel.org infrastructure were compromised”.

The discovery was made on August 28 but the kernel team did not say when the hack occurred as logs are still under forensic examination. The post added that it is not thought the source code repositories were affected.

Code Safe Under Git Protection

Since the breach, the kernel team has taken the affected systems offline, backed them up and started to re-install them. It is also planning to re-install all of the kernel.org servers just to be sure that there is nothing unknown to them lurking on any other parts of the infrastructure.

There is also a check being made of all the code within Git, a revision control system devised by Linus Torvalds who created Linux. The team is also testing the tarballs, composites of archived files, to affirm that nothing has been modified.

European and US authorities have been notified of the breach.

In its statement, the kernel.org managers said, “The Linux community and kernel.org take the security of the kernel.org domain extremely seriously, and are pursuing all avenues to investigate this attack and prevent future ones.”

The hack will not affect the code in the long term because the Git system encrypts all of the Linux files, almost 40,000, with a SHA-1 hash which defines the exact contents of the original files. Throughout development, Git names each file version according to the complete development history leading up to the current version. Once published, it is “not possible to change the old versions without it being noticed”.

When it comes to sound versions of the files, the backup system of Linux code is too complex for a hacker to be able to damage any file. Copies are held on Kernel.org mirror sites and on thousands of servers owned by the developers and distribution maintainers in the Linux community. Many o the developers update these personal repositories every day and changes would be noticed and flagged up immediately.

All 448 users who maintain kernel.org are changing their authentication details and Secure Shell (SSH) keys. In addition, security policies are being audited.

Not Afraid To Come Clean

A detailed log of what is known so far has also been included in the disclosure:

  • Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.
  • Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.
  • A Trojan start-up file was added to the system start up scripts
  • User interactions were logged, as well as some exploit code. We have retained this for now.
  • Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don’t have Xnest installed, please investigate.
  • It *appears* that 3.1-rc2 might have blocked the exploit injector, we don’t know if this is intentional or a side affect of another bugfix or change.