IgnorantGuru comments on his blog on this security breach:
In case anyone is living under a rock and missed it (like me), sometime in August multiple kernel.org servers were rooted, and linux.com was also compromised in a related breach. Both sites are still offline. Not only does kernel.org host the Linux kernel source code (which has now been temporarily moved), but it also hosts mirrors for many Linux distros. It is claimed that "the attackers did not really understand the significance of the servers they'd breached and were unable to capitalize on the attack", and that no tampering has been found in the kernel source code or distro mirrors. If true, call this very lucky, yet this is another example showing that Linux developers need to take file authentication protocols more seriously......
Earlier this year, I spent considerable time exposing and discussing Arch Linux's long-term negligence in their distro's security practices, which prompted me to discontinue my use of Arch Linux. It turns out that kernel.org hosts a primary Arch mirror, and were those files compromised, anyone using that mirror to update their system has been silently infected. (Note that the breach was not discovered by kernel.org for two weeks.)
See for links: https://igurublog.wordpress.com/2011/09 … rg-rooted/
Read here for more details and discussions on the Arch forum: https://bbs.archlinux.org/viewtopic.php?id=125666
Quotes from kernel.org to indicate how serious it was:
Points of interest:
- - Break-in seems to have initially occurred no later than August 12th
- - Files belonging to ssh (openssh, openssh-server and openssh-clients)
were modified and running live. These have been uninstalled and
removed, all processes were killed and known good copies were
reinstalled. That said all users may wish to consider taking this
opportunity to change their passwords and update ssh keys (particularly
if you had an ssh private key on hera). This seems to have occurred on
or around August 19th.
- - A trojan startup file was added to rc3.d
- - User interactions were logged, as well as some exploit code. We have
retained this for now.
- - Trojan initially discovered due to the Xnest /dev/mem error message
w/o Xnest installed; have been seen on other systems. It is unclear if
systems that exhibit this message are susceptible, compromised or not.
If you see this, and you don't have Xnest installed, please investigate.
- - It *appears* that 3.1-rc2 might have blocked the exploit injector, we
don't know if this is intentional or a side affect of another bugfix or
Developer Xyne comments on the Arch forum answering someone asking if he could be infected:
If the Arch mirror was compromised then it's possible, even if my first impulse is to say that it's unlikely. Arch is a relatively big distro though, so it may be worth the effort to target it, and hacking the kernel package is probably not too hard to do given the simplicity of Arch packages.
Considering the possibility, this should be mentioned on the front page news, at least until we know more......
Checking with md5sum of the packages showed there were no changes made.
It seems that everything isn't for the worst, but this shows how vulnerable the Linux ecosystem can be.
It is an interesting question who is behind this?
The Linux kernel itself seems to have been not endangered as this comment on IG blog points out:
The linux kernel developers DO take file authentication seriously. Even if the attackers did know what they were going after, the git revision control system would have kept the main linux kernels near impossible to tamper with. I can't speak for Arch, or for the Arch mirror(s) on kernel.org, but rest assured that the linux kernel itself would have been damn near impossible to tamper with, without someone finding out almost immediately. As a matter of fact, if someone did attempt to tamper with the kernel itself, the intrusion almost definitely would have been detected faster than it actually was.
You should be happy that the linux kernel developers do take file authentication so seriously, instead of lumping them in with the negligence of Arch's development team.
From http://www.linuxfordevices.com/c/a/News … rg-hacked/ :
Git calculates a cryptographically secure SHA-1 hash for each of the nearly 40,000 files that make up the Linux kernel. The name of each version of the kernel depends on the complete development history leading up to that version, and once it is published, it's not possible to change the old versions without someone noticing. Any changes to the source code would be noticed by anyone updating their personal copy of the code, according to the site's security notification.
Kernel.org is "just a distribution point" and no actual development happens on the server, according to Corbet. "When we say that we know the kernel source has not been compromised on kernel.org, we really know it," Corbet wrote.
Getting your questions answered here at ArchBang Forums
Please! Always give hardware info, if there is a chance that 's relevant: #lspci -vnn
Quote: What I have learnt from Linux is to minimize dependencies and functionalities for greater independence.
On Arch(bang) and Openbox: http://stillstup.blogspot.com/
Even more important now to get the Arch developer PGP key ring of trust in place ASAP for pacman 4.0.0. Kernel.org has been down for quite awhile now. They seem to be spending a lot of time assessing and securing things before going back on-line so it will be difficult to happen again. No one can take security for granted nowadays.
GUI's?? We don't need no stinkin' GUI's!!!