Git Saves Linux Code Base In Kernel Server Breach

The Linux kernel site was hacked around the time the popular operating system celebrated its 20th anniversary on August 25. In a post on the site, the organisation admitted that “a number of servers in the kernel.org infrastructure were compromised”.

The discovery was made on August 28 but the kernel team did not say when the hack occurred as logs are still under forensic examination. The post added that it is not thought the source code repositories were affected.

Code Safe Under Git Protection

Since the breach, the kernel team has taken the affected systems offline, backed them up and started to re-install them. It is also planning to re-install all of the kernel.org servers just to be sure that there is nothing unknown to them lurking on any other parts of the infrastructure.

There is also a check being made of all the code within Git, a revision control system devised by Linus Torvalds who created Linux. The team is also testing the tarballs, composites of archived files, to affirm that nothing has been modified.

European and US authorities have been notified of the breach.

In its statement, the kernel.org managers said, “The Linux community and kernel.org take the security of the kernel.org domain extremely seriously, and are pursuing all avenues to investigate this attack and prevent future ones.”

The hack will not affect the code in the long term because the Git system encrypts all of the Linux files, almost 40,000, with a SHA-1 hash which defines the exact contents of the original files. Throughout development, Git names each file version according to the complete development history leading up to the current version. Once published, it is “not possible to change the old versions without it being noticed”.

When it comes to sound versions of the files, the backup system of Linux code is too complex for a hacker to be able to damage any file. Copies are held on Kernel.org mirror sites and on thousands of servers owned by the developers and distribution maintainers in the Linux community. Many o the developers update these personal repositories every day and changes would be noticed and flagged up immediately.

All 448 users who maintain kernel.org are changing their authentication details and Secure Shell (SSH) keys. In addition, security policies are being audited.

Not Afraid To Come Clean

A detailed log of what is known so far has also been included in the disclosure:

  • Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.
  • Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.
  • A Trojan start-up file was added to the system start up scripts
  • User interactions were logged, as well as some exploit code. We have retained this for now.
  • Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don’t have Xnest installed, please investigate.
  • It *appears* that 3.1-rc2 might have blocked the exploit injector, we don’t know if this is intentional or a side affect of another bugfix or change.
Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago