Attackers have compromised several key servers at kernel.org, which houses the source code for theLinux kernel. The likelihood of attackers modifying the actual source code is very low, since the code is distributed across thousands of computers, according to developers who help maintain the code.
Attackers modified a number of files and logged user activity on the compromised servers, according to a message posted on the kernel.org website Aug. 31. The attackers were able to modify the OpenSSH client and server software installed on the compromised server. However, the attackers did not change the actual OpenSSH source code.
The attack happened “some time” in August and was discovered by Linux Kernel Organization officials on Aug. 28, according to the security notice on the site. The attackers used a Trojan to compromise the servers on Aug. 12, according to an email from John “‘Warthog9” Hawley, the chief administrator of kernel.org. That email was sent to developers and posted on the text-sharing website Pastebin.
“Earlier today discovered a trojan existing on HPA’s personal colo machine, as well as hera,” the email said. HPA refers to kernel developer H Peter Anvin.
Other kernel.org boxes were discovered to have been hit by the same Trojan. The Trojan startup file was inserted into the startup scripts on the compromised server so that it would execute whenever the machine was started.
Site administrators have taken the compromised servers offline and are creating backups as well as reinstalling the systems, according to the message on the site. The investigation is ongoing.
Intruders apparently gained root access on one of the servers using a compromised user credential, the email said. It’s not yet known how the attackers exploited the credentials to become root, according to the security notice.