Home  |  News  |  Articles  |  Forum  |  Polls  |  Blogs  |  Videos  |  Resource Library

Keywords: Match: hacked, but Linux kernel safe thanks to git
Sep. 02, 2011

Attackers compromised several servers at using an off-the-shelf Trojan that appears to have entered via a compromised user credential. However, the source code for the Linux kernel does not appear to have been altered thanks to its "git" distributed revision control system, say kernel maintainers.

Attackers have compromised several key servers at, which houses the source code for the Linux kernel. The likelihood of attackers modifying the actual source code is very low since the code is distributed across thousands of developer machines, according to developers who help maintain the code.

Attackers modified a number of files and logged user activity on the compromised servers, according to a message posted on the website Aug. 31. The attackers were able to modify the OpenSSH client and server software installed on the compromised server. However, the attackers did not change the actual OpenSSH source code.

The attack happened "some time" in August and was discovered by Linux Kernel Organization officials on Aug. 28, according to the security notice on the site. The attackers used a Trojan to compromise the servers on Aug. 12, according to an email from John "'Warthog9" Hawley, the chief administrator of That email was sent to developers and posted on the text-sharing website Pastebin.

"Earlier today discovered a trojan existing on HPA's personal colo machine, as well as hera," the email said. HPA refers to kernel developer H Peter Anvin.

Other boxes were discovered to have been hit by the same Trojan. The Trojan startup file was inserted into the startup scripts on the compromised server so that it would execute whenever the machine was started.

Site administrators have taken the compromised servers offline and are creating backups as well as reinstalling the systems, according to the message on the site. The investigation is still on-going.

Intruders apparently gained root access on one of the servers using a compromised user credential, the email said. It's not yet known how the attackers exploited the credentials to become root, according to the security notice.

A not so stupid git

While the intruders were able to compromise servers, that doesn't translate to modifying the actual kernel code, Jonathan Corbet, a kernel developer, wrote on There are thousands of copies of the kernel source code housed on developer machines around the world and if someone tries to check in corrupted or modified code, the changes would be flagged by a distributed revision control system called git, according to Corbet.

Git calculates a cryptographically secure SHA-1 hash for each of the nearly 40,000 files that make up the Linux kernel. The name of each version of the kernel depends on the complete development history leading up to that version, and once it is published, it's not possible to change the old versions without someone noticing. Any changes to the source code would be noticed by anyone updating their personal copy of the code, according to the site's security notification. is "just a distribution point" and no actual development happens on the server, according to Corbet. "When we say that we know the kernel source has not been compromised on, we really know it," Corbet wrote.

Phalanx a prime suspect

The Trojan appeared to be a self-injecting rootkit known as Phalanx, Jon Oberheide, one of the Linux security researchers briefed by Linux Kernel Organization about the breach, told The Register. Phalanx variants have attacked sensitive Linux systems before by stealing SSH keys to access servers and exploiting kernel vulnerabilities.

Attackers are not likely to use an "off-the-shelf" rootkit like Phalanx in a sophisticated attack, according to Oberheide. "Normally if you were to target a high-value target you would potentially use something that's more more tailored to your specific target, something that's not going to be flagged or potentially detected," Oberheide was quoted as saying. It was not likely the attackers were after the source code, or they would have performed the attack differently, he said.

This kind of compromise has happened before, such as the attack in January, which compromised servers used by the Fedora project, the community version of Red Hat Enterprise Linux. Around the same time SourceForge was also broken into, and there have been various attacks on Apache websites.

In other recent Linux-related coverage, our sister publication eWEEK put together a slide show retrospective on the first 20 years of Linux.

Fahmida Rashid is a writer for eWEEK.

Related Stories:

(Click here for further information)

Home  |  News  |  Articles  |  Forum  |  Polls  |  About  |  Contact

Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
Tech RSS Feeds | ROI Calculators | Tech Podcasts | Tech Video | VARs | Channel News

Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
Publish | Security IT Hub | Strategic Partner | Web Buyer's Guide | Windows for Devices

Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2011 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.