Slashdot Mirror
Kernel.org Attackers Didn't Know What They Had
Trailrunner7 writes "The attack that compromised some high-value servers belonging to kernel.org — but not the Linux kernel source code — may have been the work of hackers who simply got lucky and didn't realize the value of the servers that they had gotten their hands on. The attackers made a couple of mistakes that enabled the administrators at kernel.org to discover the breach and stop it before any major damage occurred. First, they used a known Linux rootkit called Phalanx that the admins were able to detect. And second, the attackers set up SSH backdoors on the compromised servers, which the admins also discovered. Had the hackers been specifically targeting the kernel.org servers, the attack probably would've looked quite different."
A few blog posts in the wake of the attack have agreed with the initial announcement; while it was embarrassing, the integrity of the kernel source is not in question.
They didnt want to harm the kernel.
Read radical news here
...and didn't realize the value of the servers that they had gotten their hands on...
....I don't see any mention of what the phrase refers to. Is this dramatization or intentionally excluded information?
Curious.
not know what they had cracked and how useful it was?
"I don't know, therefore Aliens" Wafflebox1
My philosophy has always been: once a machine has been compromised, all bets are off. Let's say you're paranoid enough: couldn't you just as easily argue that the "mistakes" that have been detected are simply misdirection, drawing attention away from the real hack (eg. backdoor inserted in the kernel)? How sure can you really be that the kernel source integrity is intact?
They must have gotten their hands on the kernel source code, I found it posted online!
but how do we know someone more sophisticated didn't already break in and mess with the code undetected?
So with some "random" automated exploit/credentials some random "script kid" owned kernel.org?
Comon Oberheide , they probably used one of your exploit on top of that?
Busticati .....really.....
if someone wanted to, and were able to, compromise the kernel.org servers.. and they were 'good' do you not think they would be able to make people think it was just script kids? and that they didnt know what they had? it sounds unreasonable to me. you would *think* kernel.org servers would be somewhat secure. you would *hope* they are somewhat secure. is it possible they wanted their crap rootkit to be found to disguise what really occurred? it all sounds pretty shady to me. but what do i know.
Not the attackers, the people who believe someone hacks a server like that and doesn't know what it is. To me this story means that the people who are responsible for the security of the Linux kernel are easily distracted by planted evidence, which prevents a thorough investigation. If they keep using that machine, the integrity of the Linux kernel is going to be questionable.
Why would the attacks have to look different? Because if somebody wanted to mess with the source, they'd be more sophisticated and use more sophisticated exploits? Like Kaspersky pointed out, if they wanted to mess with the source code, a lot of what they did would have been unnecessary, but whatever initial exploit they used would have still worked! I think the real point is here 'they got in'. Better attackers just mean they wouldn't have discovered the break-in as quickly, and actual damage might have been done. Whether or not the attackers knew what they had is immaterial: the real message here is kernel.org needs to wake up and get serious about security, if any random script kiddie can root them.
"These people look deep within my soul and assign me a number based on the order in which I joined" --Homer re:
Does think mean kernel.org is not patched on time or there are simply too many vulnerabilities in Linux to keep up? How did the attackers get in? Brute Force? Exploiting some known/unknown vulnerability or reused ssh keys? Social Engineering?
I think the truth is that failers trying to save their asses and trying to make themselves heroes here.
Given that they attackers hacked the server a minimum of 17 days before it was detected, I'm not sure I'm going to buy into a story that makes the attackers sound clueless and the server admins smart and on the ball.
#DeleteChrome
It wasn't until they got into the machines that they realized the Kernel wasn't written in Javascript. "Dammit!"
The thought of hanging myself at my student loan organization doesn't bug me as much when I think it might make a differ
How they got root access after logging in. Was it something simple like a sudo? Was it a known, unpatched kernel vulnerability? Or, was it some new vulnerability current kernels are susceptible to? Last I read, they logged in under a user account, then they got root access.
I was concerned about the fact that a high profile like kernel.org site was rooted, but knowing it didn't take a sophisticated and highly knowledgeable penetration team but just a group of bumbling script kiddies makes it all better.
If they were looking for something to steal, it would be easier to wait until the next release.
The first way: Haha, these skiddies didn't have what it takes to effectively hide their cracking.
The second way: Skiddies were able to crack kernel.org using automated cracking tools just Windows, no evil genius required.
AntiFA: An abbreviation for Anti First Amendment.
maybe they didn't, but maybe they did !! All Your Bases Are Belong To Us !!
they should run linux on their servers, it's more secure! oh wait... whoops. ho hum, i suppose it's no good saying that they should run a FreeBSD Bastion Server, is it?
Another way to look at it: the fact that the administrators found out and admitted getting hacked says a lot about the ability of the administrators.
I would rather trust these guys than someone who claims to have never been hacked ever.
Its not like they get hacked all that often, which sure would make them look bad.
This wouldn't have happened if they ran closed source Microsoft Windows Server :)
It's a joke guys kidding :P
Question, how would OpenBSD prevent them from getting into the server with compromised username and password? Or from running arbitrary code once they do so?
So they found the SSH Frontdoors, but did the admins find the rest?
Privacy is terrorism.
Certainly I agree. Although any modern IDS like Samhain or tripwire would have picked up this attack within one day of occurring and even told you which files were changed. In conjunction with something like Splunk would have provided very robust security auditing tools. In consideration of all these tools that are available, I can not help but to think that this compromise should have never of happened or at least taken 17 days to recognize. Even tools like selinux or apparmor can be very effective at thwarting these attacks. Or how about rate limiting ssh to block brute force ssh attacks...as this was most likely the egress point for this particular compromise.
I hope these system administrators are reading this because they really need to get a clue.....and to intentionally add insult to injury, evaluate their security best practices.
Now Linux is popular enough to have rootkits. This must be the year of Linux on the desktop.
Any details on the hack? What port did they use, for example? What service was compromised first?
And most importantly, they didn't find out the Kernel's secret 11 herbs and spices.
Or so they think.
If you have weak passwords, no OS is going to help you. The only thing that helps you there is something like DenyHosts or fail2ban. Not even OpenBSD prevents stupid.
after decades of bashing microsoft security, this story only exists to save face
so the live servers didn't have something running that checked the hash of the sources every, lets say, a day? why the hell not?
Yes, well everyone knows those kernel.org sysops are a bunch of pushover newbies. Im sure you can do way better with the scope and size of the systems they deal with.
I'd recommend Windows instead of OpenBSD. Sure Windows has had its problems in the past but now with Windows 7 and Norton it's practically impossible to hack my systems. Even the Lunix box I run feels safer when the Windows computer is on the network. I imagine it's the firewall in Windows 7 reaching out in to the network to protect all the computers in my office.
I've been supporting Lunix and Windows at the enterprise level for many years now. I think its finally time to move away from Lunix. Linus really needs to ask himself where he wants this to go? The kernal is hacked up, probably with viruses hidden in there (we can't be sure). Sorry, I have to say bye bye to Lunix.
...they were just script kiddies who knew one single method, and thought it would be cool to try it on kernel.org.
We need the copies of the source code to be on multiple/hundreds Write Once DVD media. Fact is even if you have a billion computers if they are all vulnerable to the same exploit or _an_ exploit .. it can be compromised in an automated fashion. The source needs to be periodically placed on DVDs.
...if I was in charge of damage control at kernel.org. Just sayin'.
Don't move to OpenBSD, improve Linux security instead.
You should read this article:
http://www.h-online.com/open/news/item/Kernel-org-gets-major-system-upgrades-1142346.html
If that description from late 2010 (less than a year ago!) is still accurate, there is almost no infrastructure at all. In case you refuse to read it for yourself, let me quote to you from it:
In total the kernel.org infrastructure uses 12 servers worldwide.
Unless you're a high school kid who has only ever managed a VPS instance running Linux for some shitty Ruby on Rails site, a mere 12 servers should seem like absolutely nothing to you. Most professional sysadmins will manage hundreds to even thousands of times that number of servers.
If a Windows server is hacked, hackers had luck.
They were lucky it wasn't Linux.
Is this a joke or are you completely clueless?
He's being funny, in case you can't tell.
Disturbingly they seem to have considered not wiping and reinstalling.
It appears that the chief kernel.org system administrator is so naive about security that he doesn't even realize the absolute necessity of a full wipe and reinstall after compromise of such an important site. It also appears that there was no routine booting from read only media to check system files and startup scripts for changes. And no daily rootkit scan. If it was me, I would trash the motherboard for fear of BIOS or other firmware contamination. Exploits living on the firmware of network cards and other places have been demonstrated.
It wasn't brute-forced. A user with commit privs had his work laptop trojanned. Yes, I actually was reading kernel.orgs emails when it happened. and all these other articles.
C|N>K
They need to get their MCSE certification updated ;)
I still haven't managed to figure out if the tarball you download from the main page has been compromised.. Yes GIT saved everybody and all, but they seem to not want to say anything about the front page tarball, makes me curious
Track IP - Remotely track the IP address of a machine via email or MySQL.
I'm curious, once inside an OpenBSD server as normal user, what rootkit would they use instead of Phalanx to elevate privileges? The OpenBSD teams has expended a lot of effort to combat such a thing.
This is why I never comment until the mods have had a chance to let me know whether I should be laughing.
but how about that "privilege escalation' business that Linux couldn't prevent?
oh boy, then we can have millions of DVD with compromised code on them that everyone thinks is the golden standard. you are a genius.
Thats the interesting one, hopefully we will get full details about that one soon.
So when you find a backdoored SSH and a Linux rootkit on your server you might only be seeing the tools from one team who got lucky.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
It is bad, but there is a mitigation. It requires two steps in stead of just one to get root access. Given the fact that you usually try to layer your security and have logging/accounting and tripwire type of alarms set up, you have a bigger chance of catching intruders before they get access to anything really dangerous.
If you admin thousands of systems, used by many more users, you will get compromised accounts, on a fairly regular base. Those accounts in general will be used to try and get root access. By setting up logging, accounting and various other tools, you tend to get a lot of the compromised accounts to trigger an alarm before they get root, or run their code as user. With remote root vulnerabilities, you get none.
Any privilege escalation is something to be serious about, but crying wolf that local exploits are just as bad as remote, will make less people take you serious.
I was promised a flying car. Where is my flying car?
If you are posting the seminal Trusting Trust, you should also post Countering Trusting Trust to balance it. It is possible to escape the trojaned compiler problem through the use of double diverse compilation.
http://www.edithex.com/
The cloud is really good for some things...
Another thread about the $200 PC complained about an optical drive. At least if I have a DVD of a known, good kernel I can work from there.
With Chkrootkit having seen its last update sometime 2009 and RK Hunter also being on the backburner, how does one even check these days for rootkits and other nasties like it? Suggestions?
Still could be some dumbass with sudo, either set to use the same (weak) password, or they were logging in directly as root (which I sure hope not, but see above about fixing stupid).
The major distributions are safe but some doofus at somewhere like Cisco or Belkin (or more likely their Chinese contractor) may have obliviously downloaded a compromised tarball and shipped it on a million routers.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Let this be a lesson that there is no such thing as a "safe" operating system. I find it rather amusing that they're downplaying this breach instead of really questioning how one would unknowingly hack kernel.org, which should have been sufficiently protected given the material it hosts.
My desktop linux installation probably has more than 12 servers and a number of daemons too!
Look at the page source of the "We are returning soon" page.
They just must be kidding.
The page consists of one single line with a big text.
They used an:
- windows-only
- freeware
- outdated
- WYSIWYG in a very loose meaning
"editor"
which produced an
- HTML 3.2 sourcecode
with
- FONT tags
What the ....?
Thanks for correcting me!
'the firewall in Windows 7 reaching out in to the network' part was hilarious.
Read radical news here
its a joke, i can tell by the pixels, as i have seen a few jokes in my day
that and they knew who linus was, but spelled linux, "lunix" 4 times
warning pointless sig
I don't think they stole anything, git wouldn't let them.
The Linux secrets are safe.
Kernel.org says they encrypt the modifications well, and that any changes to source code that would have been made (old or new) will not go unnoticed. I don't know how true it is, but I'm willing to bet it's highly unlikely this group would have done anything, probably just looking for bragging rights like the guy who hacked Sarah Pailin's email. He just used known info about her to reset her password and he got jailtime for it. I think it's safe to say that if anything serious had happened, they would have been smart enough to remove the rootkit after setting up the SSH backdoors, allowing them to go unnoticed. They probably didn't know what to do with the site after they hacked into it and were caught before they could come up with something "script kiddie" to do.
So, why didn't the system:
1. Wait one second between login attempts? It would have stretched out the 32k tries significantly.
2. Rooting should at least send an SMS message back to the owner for an authorization code, or request a key off a one-time pad. See what gmail does.
3. Why weren't the login attempts logged and flagged and reported?
4. Scan itself and flag significant or specific changes?