Kernel.org Attackers Didn't Know What They Had

Trailrunner7 writes "The attack that compromised some high-value servers belonging to kernel.org — but not the Linux kernel source code — may have been the work of hackers who simply got lucky and didn't realize the value of the servers that they had gotten their hands on. The attackers made a couple of mistakes that enabled the administrators at kernel.org to discover the breach and stop it before any major damage occurred. First, they used a known Linux rootkit called Phalanx that the admins were able to detect. And second, the attackers set up SSH backdoors on the compromised servers, which the admins also discovered. Had the hackers been specifically targeting the kernel.org servers, the attack probably would've looked quite different." A few blog posts in the wake of the attack have agreed with the initial announcement; while it was embarrassing, the integrity of the kernel source is not in question.

Or maybe

[unity100]

They didnt want to harm the kernel.

Re:

[Anonymous Coward]

Or maybe, just maybe, the hackers wanted to appear that they didn't realize what they had gotten their hands on. I'm not trying to cause any tinfoil hats to come out, but I would still check everything.

Re:

[Dwonis]

Or maybe, just maybe, the hackers wanted to appear that they didn't realize what they had gotten their hands on. I'm not trying to cause any tinfoil hats to come out, but I would still check everything.

git fsck

Done.

Re:Or maybe

[FatdogHaiku]

They didnt want to harm the kernel.

Possibly out of respect for the 11 Secret Herbs and Spices?

Re:

[fatphil]

You my laugh, but I have at least twice been approached by agencies who are looking for a colonel developer.

Re:The motive doesn't matter. It's time for action

[LordLimecat]

Question, how would OpenBSD prevent them from getting into the server with compromised username and password? Or from running arbitrary code once they do so?

Re:

[rubycodez]

I'm curious, once inside an OpenBSD server as normal user, what rootkit would they use instead of Phalanx to elevate privileges? The OpenBSD teams has expended a lot of effort to combat such a thing.

Re:The motive doesn't matter. It's time for action

[LordLimecat]

Yes, well everyone knows those kernel.org sysops are a bunch of pushover newbies. Im sure you can do way better with the scope and size of the systems they deal with.

Re:The motive doesn't matter. It's time for action

[Slashdot Assistant]

I'd recommend Windows instead of OpenBSD. Sure Windows has had its problems in the past but now with Windows 7 and Norton it's practically impossible to hack my systems. Even the Lunix box I run feels safer when the Windows computer is on the network. I imagine it's the firewall in Windows 7 reaching out in to the network to protect all the computers in my office.

I've been supporting Lunix and Windows at the enterprise level for many years now. I think its finally time to move away from Lunix. Linus really needs to ask himself where he wants this to go? The kernal is hacked up, probably with viruses hidden in there (we can't be sure). Sorry, I have to say bye bye to Lunix.

Re:

[RobbieThe1st]

He's being funny, in case you can't tell.

Re:

[gnapster]

This is why I never comment until the mods have had a chance to let me know whether I should be laughing.

and after reading the articles....

[poofmeisterp]

...and didn't realize the value of the servers that they had gotten their hands on...

....I don't see any mention of what the phrase refers to. Is this dramatization or intentionally excluded information?

Curious.

Re:and after reading the articles....

[Samantha Wright]

Here [bell-labs.com] is what it's referring to. CS graduates are expected to recognize instances of it instinctively.

Re:

[poofmeisterp]

Here [bell-labs.com] is what it's referring to. CS graduates are expected to recognize instances of it instinctively.

Ah, so the statement was conceptual, not based on a hidden component within these boxes. Gotcha.

Correct me if I'm wrong.

Re:and after reading the articles....

[Samantha Wright]

That's pretty much it. Malicious control over the master copy of the kernel source means you can bake a rootkit into everything everywhere with enough clever code. All it takes is one generation of bad files to silently patch all successive copies during compilation, and you've got the stuff that cypherpunk nightmares are made of.

Re:

[KahabutDieDrake]

I'm not a programmer, but I'm not entirely ignorant either... which leaves me with a question... Assuming that the Kernel was compromised, and the scenario you describe came into being. Isn't it just a matter of examining the Kernel code until you find the naughty bits and expunge them? Or are you basing your nightmare on this infiltration not being detected?

Re:

[Rockoon]

Isn't it just a matter of examining the Kernel code until you find the naughty bits and expunge them?

Thats right. A task that can never be proven to be completed.

Re:

[F.Ultra]

Not really, you have to remember that the complete code as it was before these naughty bits was introduced is stored on multiple locations including Linus's own hard drive so extracting a diff between the two versions would point at all these changes immediately.

Re:and after reading the articles....

[jimicus]

I'm not a programmer, but I'm not entirely ignorant either... which leaves me with a question... Assuming that the Kernel was compromised, and the scenario you describe came into being. Isn't it just a matter of examining the Kernel code until you find the naughty bits and expunge them? Or are you basing your nightmare on this infiltration not being detected?

Not at all - the paper describes how one could write a custom C compiler which would automagically insert malicious code when it saw a particular pattern.

With a properly crafted attack you couldn't even compile your own "known clean" compiler - the attack takes advantage of the fact that most modern C compilers can't be compiled without an existing C compiler of some sort. Provided the existing compiler is the malicious one, all it needs to do is insert its own malicious payload as part of the compiler compilation process and every subsequent compiler on that system is equally malicious even though the source code is perfectly clean.

Re:

[Samantha Wright]

That's exactly the idea. While such a move would eventually be discovered, the amount of damage that could be done before that happened could be substantial, and the amount of work required to (a) find the bad code in a copy of the source tree and, especially, then (b) detect bad binaries would be pretty staggering. It should also be stressed that this isn't just some fanciful nightmare scenario as Kahabut suspects; Ken Thompson did it to the Unix kernel long ago.

Re:

[JasterBobaMereel]

Ken Thompson wrote a paper on how to do it http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com], but did not actually do it ...(As far as we know)

The point about it is that there is no source tree to examine ...

The point about any hack of kernel.org, is that there is no central depository of code there that is the master copy, it uses git, so there are many copies (or partial copies) scattered around many machines, compromising all of them is very unlikely, many are behind much better firewalls, examining the source

Re:

[mortonda]

But the point in the articles is that something exists to prevent this - Ken Thompson did not have to contend with git. To make that attack work you have to get malicious code into the tree for a while - long enough to infect the hosts that compile kernels for others... and then remove the original code.

Git would raise the alarm long before that, thanks to the cryptographic nature that it uses to identify the source chain.

It's a theoretical attack on one system, but for it to work, Linus would have to do

Re:

[koreaman]

And no one has old disks lying around with old versions of the compiler from before the server was compromised?

Re:

[jimicus]

And no one has old disks lying around with old versions of the compiler from before the server was compromised?

You assume that the compiler was compromised in the most recent server compromise. For all you know it was compromised ten years ago and every compiler ever since has been compromised. Go back far enough, if you'd done that early enough in the evolution of Linux distributions it's entirely possible the C compiler on every distribution and architecture is compromised.

Myself, I take from that paper that for practical purposes there is no such thing as a computer you can offer a cast-iron guarantee is not comp

Re:

[steelfood]

Restore the binaries directly from an earlier backup or some known-clean version. Transfer the existing and the restored binaries to a clean server via write-once media and do hash compares using multiple algorithms. Obtain several more copies of the clean versions and do the same with them.

Recompile the source with the compromised server. Again, do the hash comparisons using a clean, unconnected, read-only machine.

If there was some malicious binary inserted into the server or some kind of malicious hook st

Re:

[Mitchell314]

The point with ken's trick was that it's possible to throw in changes that are not *persistent* in the source code.

Re:

[del_diablo]

Or we take advantage of how git works, and axe all those commints that is noncomplient against history.

Re:

[sjames]

Except for those bazillions of good systems burned onto CDROMS already, any one of which could be used to bootstrap.

It would take a lot more than one generation of corruption to overcome that.

Re:

[WorBlux]

There is no one master copy, and most devs keep a local copy. Every file is checksummed, and the checksums are published, meaning it's pretty easy to tell weather a copy has been messed with.

Re:

[smash]

Even "better" would be if you were to mess with the FTP daemon, to silently serve various files from elsewhere that are trojanned. Leave the on-server source in tact, as its obvious people are going to check that...

Re:

[Tubal-Cain]

So nuke the servers and every patch prior to 3.1-rc3?

Re:

[Tubal-Cain]

prior to 3.1-rc3?

after 3.1-rc3.

Re:

[Samantha Wright]

There are, of course, situations where that wouldn't work. Consider, for example, the actual scenario in Trusting Trust, where all copies of compiler version foo are infected: foo-1 would be expected to produce different results, as every new version of the compiler should include new optimisations. For a large enough file, this is essentially prohibitively impossible. (Relatedly, while clang has been able to compile Linux for almost a year now, its code output is going to be radically different to the poin

Re:

[Samantha Wright]

Ah, good call. Bravo.

How could the attackers...

[Nutria]

not know what they had cracked and how useful it was?

Re:

[FooBarWidget]

Maybe a semi-automated attack in search of more zombie machines for sending spam.

Re:

[Anonymous Coward]

Any random machine with SSH enabled gets around 2-3 brute force attempts per day from automated zombies. Most likely kernel.org was breached in an automated attack. I've protected my server with Denyhosts which will add your IP address to the firewall after 5 failed passwords... indefinitely. kernel.org should either install it or switch to public key authentication. Having user/password authentication on Internet without any protection is real stupid.

Re:How could the attackers...

[Dahamma]

2-3? Mine sometimes gets hundreds. It's pretty ridiculous.these days.

Re:

[antdude]

Is that with default port 22? Mine doesn't get hundred hits, but then it is on a private connection.

Re:

[smash]

Not using SSH key pairs for accounts on a public system like this sounds pretty brain damaged to me.

Re:

[beuges]

This argument doesn't make sense. From what I've read, a kernel dev with kernel.org access had his machine trojanned, and the attackers got to kernel.org in that way. That's a far cry from script kiddies trying SSH ports on a bunch of random IP addresses. It sounds like quite a lot of effort to specifically get to the kernel.org network. Whether they managed to do some unknown damage, or access some other data whose relevance is as yet unknown, or maybe they just did it for the reputation of having hacked k

Nonsense!

[Anonymous Coward]

They must have gotten their hands on the kernel source code, I found it posted online!

sure THESE guys didn't touch the kernel...

[Anonymous Coward]

but how do we know someone more sophisticated didn't already break in and mess with the code undetected?

Re:

[migla]

>but how do we know someone more sophisticated didn't already break in and mess with the code undetected?

Lots of people probably have the same git source repo on their own computers, so it can be compared to the kernel.org one.

Re:

[Anonymous Coward]

Because in git, everything has got a hash checksum that is not forgeable (try to get something that compiles, does specifically something malicious, and that has the same checksum and size as before).

And then there are thousands of copies of the entire thing around. I also have one. A simple comparison for equality will work.

Re:sure THESE guys didn't touch the kernel...

[John Hasler]

Because in git, everything has got a hash checksum that is not forgeable...

And every commit is signed. When the Debian kernel maintainers fetch a new kernel (from Git, not a tarball) they verify the signature on every new commit. The integrity of the Linux kernel does not depend on anything as brittle as a sacred master copy.

Why?

[MattGWU]

Why would the attacks have to look different? Because if somebody wanted to mess with the source, they'd be more sophisticated and use more sophisticated exploits? Like Kaspersky pointed out, if they wanted to mess with the source code, a lot of what they did would have been unnecessary, but whatever initial exploit they used would have still worked! I think the real point is here 'they got in'. Better attackers just mean they wouldn't have discovered the break-in as quickly, and actual damage might have

The truth

[Iskorptix]

I think the truth is that failers trying to save their asses and trying to make themselves heroes here.

Spin

[93 Escort Wagon]

Given that they attackers hacked the server a minimum of 17 days before it was detected, I'm not sure I'm going to buy into a story that makes the attackers sound clueless and the server admins smart and on the ball.

Re:Spin

[microbee]

Yeah, just admit failure and do better next time. No need to blog about how a trivial issue it was.

Re:Spin

[Rogerborg]

We totally hadn't detected any intrusion!

Uh... then we did.

But we totally haven't detect any meddling with the sources

Uh...

Re:

[trib3003]

Indeed: http://blackhats.com/infosuck/0x007c.png [blackhats.com]

Re:

[mrmeval]

It sounds like a brush off of concerns about the source code . I would want theirs nuked and some trustworthy source used to replace it.

Re:

[mrmeval]

Yo Fanboi, I don't trust spin. I'll trust Linus' dump to github and will trust 'kernel'.org when it scrubs their systems.

Re:

[kangsterizer]

Yeah, theres a lot of BS going on about this hack. Reading the kernel.org news I feel like kernel.org admins are actually very average (they don't even know how they got exploited) and people seems to try to PR-fix-this.

There's several posts on the internet about how the GIT repositories could actually have been corrupted and we'll probably _never_ know, despite what GIT/kernel.org supporters might say.

I think most likely...

[icongorilla]

It wasn't until they got into the machines that they realized the Kernel wasn't written in Javascript. "Dammit!"

I'd Still Like To Know...

[mgmartin]

How they got root access after logging in. Was it something simple like a sudo? Was it a known, unpatched kernel vulnerability? Or, was it some new vulnerability current kernels are susceptible to? Last I read, they logged in under a user account, then they got root access.

Re:I'd Still Like To Know...

[beuges]

From what I read, one of the guys with a kernel.org login (HPA, I believe) had his personal machine infected by a trojan. The attackers were then able to login to kernel.org impersonating him. They then used a local-only exploit to get root.

This is why a local-only exploit is just as bad as a remote exploit. If your machine connects to a network, it has the potential to be compromised by a local-only exploit, by first exploiting a flaw in a completely unrelated program which is accessible remotely. In this case, the "flaw" was the compromised user account. It could have been a buffer overflow in an ftp or web server, which doesn't allow for privilege escalation on its own, but allows arbitrary code to be run as the current user... all the attacker has to do is make that arbitrary code trigger the local-only exploit, and your local-only exploit is now a remote one.

It's sad that so many people on slashdot keep playing local exploits down, or keep saying things like 'well it doesn't matter if my linux mail program has a flaw - the worst that can happen if I open a dodgy attachment is they wipe out my user directory, the rest of the system is safe'. Nothing is further from the truth. It's harder, yes, but not impossible to chain a bunch of vulnerabilities together so that your local-only exploit becomes remotely accessible.

This is why Linus doesn't like to classify bugs as security bugs vs other bugs. All bugs are potentially security bugs.

No, it's not just as bad

[dutchwhizzman]

It is bad, but there is a mitigation. It requires two steps in stead of just one to get root access. Given the fact that you usually try to layer your security and have logging/accounting and tripwire type of alarms set up, you have a bigger chance of catching intruders before they get access to anything really dangerous.

If you admin thousands of systems, used by many more users, you will get compromised accounts, on a fairly regular base. Those accounts in general will be used to try and get root access. By setting up logging, accounting and various other tools, you tend to get a lot of the compromised accounts to trigger an alarm before they get root, or run their code as user. With remote root vulnerabilities, you get none.

Any privilege escalation is something to be serious about, but crying wolf that local exploits are just as bad as remote, will make less people take you serious.

Re:

[rubycodez]

some other open source OS put in huge amount of time with the goal of making that impossible, the standard is zero *known* privilege escalation and they will ASAP fix any found. the Linux devs should adopt a similar attitude.

Re:

[Stupendoussteve]

Security is not the focus, this has been made clear [gmane.org].

Re:

[rubycodez]

Linus is wrong. he is out of focus. most kernel bugs don't let someone have root privileges. thus security need to be a separate consideration. This kernel.org event should be a wake-up call for him

Re:

[rubycodez]

. I have designed and administered Unix and Unix-like systems that were and are entrusted with moving billions of dollars, and I say "Pardon, but your youth, incredible ignorance and lack of experience is showing"

Re:

[TheLink]

That's as stupid as saying every bug in a car should be treated equally.

For some car flaws you issue a recall and fix it ASAP (e.g. brakes might fail to work). For others you might go "meh" (e.g. indicator lights have visibly different timings depending on whether you signal left or right).

Re:

[0ld_d0g]

I think that's unfair to Linxu. Devs do fix known vulnerabilities as soon as they can. Yes that "other os" might have had fewer bugs, but then the goals of that project are different.

Feeling better

[ChatHuant]

I was concerned about the fact that a high profile like kernel.org site was rooted, but knowing it didn't take a sophisticated and highly knowledgeable penetration team but just a group of bumbling script kiddies makes it all better.

Re:

[St.Creed]

Lol... bonus points for excellent use of sarcasm :)

Re:

[drolli]

And right now, somewhere... somebody of the highly knowledgeable penetration team says something like "phew i thought these stupid punks get us caught".

Two ways to look at this...

[CajunArson]

The first way: Haha, these skiddies didn't have what it takes to effectively hide their cracking.

The second way: Skiddies were able to crack kernel.org using automated cracking tools just Windows, no evil genius required.

hey there's this OS its supposed to be more secure

[lkcl]

they should run linux on their servers, it's more secure! oh wait... whoops. ho hum, i suppose it's no good saying that they should run a FreeBSD Bastion Server, is it?

popularity

[sourcerror]

Now Linux is popular enough to have rootkits. This must be the year of Linux on the desktop.

Re:

[dririan]

If you have weak passwords, no OS is going to help you. The only thing that helps you there is something like DenyHosts or fail2ban. Not even OpenBSD prevents stupid.

Re:

[rubycodez]

but how about that "privilege escalation' business that Linux couldn't prevent?

They should have been running Windows Server!

[blahbooboo]

This wouldn't have happened if they ran closed source Microsoft Windows Server :)

It's a joke guys kidding :P

Re:

[Beelzebud]

Somebody mod this guy Heretic!

But did they find..

[Fuzzums]

So they found the SSH Frontdoors, but did the admins find the rest?

Re:

[Anonymous Coward]

Weather or not they found them they are gone. Nuke & reinstall. Nobody running those servers would do anything less, except perhaps restore from backup using trusted media, which is also good.

Kernel.org may not bother with clean wipe

[mindbuilder]

Disturbingly they seem to have considered not wiping and reinstalling.

System is being verified from backups, signatures, etc. As of right
now things look correct, however we MAY take the system down soon to do
a full reinstall and for more invasive checking.

(emphasis added) John 'Warthog9' Hawley
Chief Kernel.org Administrator http://pastebin.com/BKcmMd47 [pastebin.com]

It appears that the chief kernel.org system administrator is so naive about security that he doesn't even realize the absolute necessity of a full wipe and

Re:

[aegl]

Perhaps considered - but rejected. www.kernel.org now says:

"We have currently taken boxes off line to do a backup and are in the process of doing complete reinstalls."

old story.

[arunce]

Or so they think.

Or maybe...

[mmcuh]

...they were just script kiddies who knew one single method, and thought it would be cool to try it on kernel.org.

Which is exactly what I would say...

[rocket rancher]

...if I was in charge of damage control at kernel.org. Just sayin'.

Main website tarball

[David89]

I still haven't managed to figure out if the tarball you download from the main page has been compromised.. Yes GIT saved everybody and all, but they seem to not want to say anything about the front page tarball, makes me curious

Re:

[John Hasler]

I still haven't managed to figure out if the tarball you download from the main page has been compromised.

It's been replaced, of course.

You can't conclude that from the data ..

[AftanGustur]

Usually advanced attacks are done by multiple teams. I.e. the Analysis, Compromise and exploit parts might all by done by different teams, and there may even be multiple teams for each task.

So when you find a backdoored SSH and a Linux rootkit on your server you might only be seeing the tools from one team who got lucky.

Detection??

[Anonymous Coward]

With Chkrootkit having seen its last update sometime 2009 and RK Hunter also being on the backburner, how does one even check these days for rootkits and other nasties like it? Suggestions?

A real risk here.

[John Hasler]

The major distributions are safe but some doofus at somewhere like Cisco or Belkin (or more likely their Chinese contractor) may have obliviously downloaded a compromised tarball and shipped it on a million routers.

Re:Wishful thinking?

[MimeticLie]

Did you bother to read either of the two [linux-foundation.org] links [blogspot.com] in the summary about that very topic?

Basically, the nature of Git makes it very unlikely that someone could insert malicious code into the kernel via kernel.org without someone noticing.

Re:

[Superken7]

While the distributed nature of git sure makes it difficult for the kernel source to be compromised, I think that's a bit optimistic (I confess I only read one of those two links, though).

It looks like they argue that since every commit is hashed and everyone has got a full copy, it would be really difficult for someone to alter any single byte without raising suspicion. However, it should be noted that one or several developer accounts got compromised (which later resulted in privilege escalation to root).

Re:

[MimeticLie]

(I confess I only read one of those two links, though)

Did you read the second one? Because it deals with the specific situation you mention, with a hypothetical about Linus' account getting compromised. I'm not an expert on Git, but according to the article, the developer in question would be informed by Git that a commit had been made that didn't match their personal repository the next time they tried to submit their changes.

Re:

[Superken7]

The second link deals with kernel.org being compromised, I am talking more about a legit commit making its way to the kernel tree. i.e. What happens if Linus Torvalds get compromised and someone uses *his* repository to add malicious stuff, which will eventually get pushed upstream?

That is, what's preventing a legitimate and trusted developer from introducing malicious code? That could happen as soon as a developer is compromised, which if I'm not mistaken is exactly what happened and how kernel.org got com

Re:

[F.Ultra]

Well if you manage to trojan Linus's machines and inject code into his local machine then of course there is no direct protection against that, and how could there be? However since there are many people who's only hobby/job is to track the changes to the kernel source and some of them would probably raise a question why Linus was committing that code to that part of the kernel (since everything that is commited is also discussed on lkml before). Also note that devs with direct commit access to the main ker

Re:

[Runaway1956]

So - Billy Random Hacker aka Snotnose Scriptkiddie just happens to have authorization via git to change the source code? Then - why didn't he come in through the front door, and change the source code? It makes no sense, I tell you! It's like, I have a safe deposit box at my local bank, and I want to change the contents of that box, so I break in at night to do so. When, all along, all I needed to do, was to walk in during business hours, and inform any bank officer that I need access to my box.

What am

Re:

[HJED]

Git records when changes are made (it has to to work and by whom it would be very easy to detect and edit if they changed it through the metaphorical front door and could be changed back. What is being suggested is that someone hid the changes (which would require manual access to the git files).

My understanding is this would not be too hard, but apparently it is?

Re:

[jpate]

What is being suggested is that someone hid the changes (which would require manual access to the git files). My understanding is this would not be too hard, but apparently it is?

What do you mean by "git files"? If you mean the files tracked by git, then yes, it is very hard. The two links provided in the summary explain how git uses cryptographic hashes to verify the current files and history. Alternatively, you might mean the git program itself. The attackers could conceivably have swapped in a modified git binary to ignore hash mismatches. But this would be discovered when anybody on a non-compromised machine ran git fsck, or recompiled git (using a compiler from a non-compromise

Re:

[Riceballsan]

Well you could start by thousands of tin foil hats who are most likely looking at and scrutinizing every line of the code. Though wouldn't it be safe to assume there are backup copies off of the server? Isn't it possible they just either did an md5sum comparison or loaded the backups over the online versions to be safe.

Re:

[Superken7]

Another way to look at it: the fact that the administrators found out and admitted getting hacked says a lot about the ability of the administrators.

I would rather trust these guys than someone who claims to have never been hacked ever.
Its not like they get hacked all that often, which sure would make them look bad.

Re:

[baegucb]

They need to get their MCSE certification updated ;)

Re:

[Larryish]

If a Windows server is hacked, hackers had luck.

They were lucky it wasn't Linux.

Re:

[rubycodez]

oh boy, then we can have millions of DVD with compromised code on them that everyone thinks is the golden standard. you are a genius.