A particularly ugly attack originating on kernel.org drove the Linux Foundation and Linux.com to close down its sites for maintenance. Here is part of the message posted on the Linux Foundation website:
Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.
The Register reported on the kernel.org intrusion on Aug. 31, stating that the infection went undetected for at least 17 days.
Multiple servers used to maintain and distribute the Linux operating system were infected with malware that gained root access, modified system software, and logged passwords and transactions of the people who used them, the official Linux Kernel Organization has confirmed.
According to security researchers who commented on the attack to The Register, the malware was a self-injecting rootkit, known as Phalanx, that first took hold on kernel.org developer H. Peter Anvin’s personal machine, then appeared on kernel.org servers Hera and Odin1, where a “secure shell client used to remotely access servers was modified, and passwords and user interactions were logged during the compromise.”
Kernel.org is also down, but posted a note earlier that they are working on having all of its 448 users to change passwords and SSH keys. As far as the damage that was done, that is still being assessed, although some are offering reassurance. PC World quotes kernel.org’s message that “the potential damage of cracking kernel.org is far less than typical software repositories” because the cryptographically secure SHA-1 hash that is used to define files would alert developers to any tampering.
What do you think — do you trust that the Linux kernel will be safe and sound after the investigation is completed?