Linux end users may not have to worry about malware too often, but apparently, folks who like to roll their own code still draw the attention of hackers. Kernel.org, the online repository of the Linux kernel, is reporting that it fell victim to a security breach in August. Don’t start screaming and unplugging your Ubuntu PCs just quite yet, though – the administrators believe the attack only compromised users who accessed the kernel.org site, and not the Linux source code itself.
Kernel.org discovered the breach on August 10th. The attacker gained root access on the website’s Hera server, probably via a compromised user credential. According to the website’s announcement, the attacker then modified ssh-related files, added a Trojan file to the system startup scripts, and logged the interactions of users who accessed the site. The exploit was discovered when developers began getting Xnest errors without Xnest installed.
The compromised systems have all been yanked offline and are currently being restored from pristine, Trojan-free backups. Every box on kernel.org will receive a full reinstall, and kernel.org is in the process of changing the credentials and ssh keys of the 448 users registered with the site.
Kernel.org is digging through the source code repositories with a fine-toothed comb to ensure that everything’s kosher, but they feel it’s unlikely that the attacker altered any of the 40,000 files in the Linux code, thanks to the git distributed revision control system that’s in place. “A cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of (each) file,” the site explains. The kernel system is designed to build upon the revisions before it, and thanks to that and the corresponding file hashes found on the hard drives of Linux developers across the world, it’s virtually impossible to secretly change older versions.
Basically, the only Linux end users who may have something to worry about are people who were testing or compiling kernels in the past month, and that’s only if the source code itself was infected, which don’t seem likely at this point.