Slashdot Mirror
Kernel.org Attackers Didn't Know What They Had
Trailrunner7 writes "The attack that compromised some high-value servers belonging to kernel.org — but not the Linux kernel source code — may have been the work of hackers who simply got lucky and didn't realize the value of the servers that they had gotten their hands on. The attackers made a couple of mistakes that enabled the administrators at kernel.org to discover the breach and stop it before any major damage occurred. First, they used a known Linux rootkit called Phalanx that the admins were able to detect. And second, the attackers set up SSH backdoors on the compromised servers, which the admins also discovered. Had the hackers been specifically targeting the kernel.org servers, the attack probably would've looked quite different."
A few blog posts in the wake of the attack have agreed with the initial announcement; while it was embarrassing, the integrity of the kernel source is not in question.
Romanians
I'm sure they tried to connect to Undernet through the kernel.org servers
They didnt want to harm the kernel.
Read radical news here
...and didn't realize the value of the servers that they had gotten their hands on...
....I don't see any mention of what the phrase refers to. Is this dramatization or intentionally excluded information?
Curious.
not know what they had cracked and how useful it was?
"I don't know, therefore Aliens" Wafflebox1
My philosophy has always been: once a machine has been compromised, all bets are off. Let's say you're paranoid enough: couldn't you just as easily argue that the "mistakes" that have been detected are simply misdirection, drawing attention away from the real hack (eg. backdoor inserted in the kernel)? How sure can you really be that the kernel source integrity is intact?
They must have gotten their hands on the kernel source code, I found it posted online!
but how do we know someone more sophisticated didn't already break in and mess with the code undetected?
So with some "random" automated exploit/credentials some random "script kid" owned kernel.org?
Comon Oberheide , they probably used one of your exploit on top of that?
Busticati .....really.....
if someone wanted to, and were able to, compromise the kernel.org servers.. and they were 'good' do you not think they would be able to make people think it was just script kids? and that they didnt know what they had? it sounds unreasonable to me. you would *think* kernel.org servers would be somewhat secure. you would *hope* they are somewhat secure. is it possible they wanted their crap rootkit to be found to disguise what really occurred? it all sounds pretty shady to me. but what do i know.
Not the attackers, the people who believe someone hacks a server like that and doesn't know what it is. To me this story means that the people who are responsible for the security of the Linux kernel are easily distracted by planted evidence, which prevents a thorough investigation. If they keep using that machine, the integrity of the Linux kernel is going to be questionable.
Why would the attacks have to look different? Because if somebody wanted to mess with the source, they'd be more sophisticated and use more sophisticated exploits? Like Kaspersky pointed out, if they wanted to mess with the source code, a lot of what they did would have been unnecessary, but whatever initial exploit they used would have still worked! I think the real point is here 'they got in'. Better attackers just mean they wouldn't have discovered the break-in as quickly, and actual damage might have been done. Whether or not the attackers knew what they had is immaterial: the real message here is kernel.org needs to wake up and get serious about security, if any random script kiddie can root them.
"These people look deep within my soul and assign me a number based on the order in which I joined" --Homer re:
Does think mean kernel.org is not patched on time or there are simply too many vulnerabilities in Linux to keep up? How did the attackers get in? Brute Force? Exploiting some known/unknown vulnerability or reused ssh keys? Social Engineering?
If a Windows server is hacked, Windows sucks. If a Linux server is hacked, hackers had luck.
I think the truth is that failers trying to save their asses and trying to make themselves heroes here.
Given their relative importance, the publicly-facing kernel.org servers should now be moved to OpenBSD. Although it may not be perfectly secure (no system ever is), it is by far the most secure open source operating system that exists today. It's one of the few open source software projects with a serious emphasis on doing things properly, and a major part of that philosophy revolves around proper code audits and security practices.
By moving the kernel.org servers to OpenBSD, the Linux community leadership would show that they take this matter very seriously. They would show a level of responsibility that we often don't see after incidents like this. Admitting to the attack in the first place is a good first step, but preventing future incidents is important, too. The use of OpenBSD would be a logical, if not necessary, next step in this direction.
Given that they attackers hacked the server a minimum of 17 days before it was detected, I'm not sure I'm going to buy into a story that makes the attackers sound clueless and the server admins smart and on the ball.
#DeleteChrome
It wasn't until they got into the machines that they realized the Kernel wasn't written in Javascript. "Dammit!"
The thought of hanging myself at my student loan organization doesn't bug me as much when I think it might make a differ
How they got root access after logging in. Was it something simple like a sudo? Was it a known, unpatched kernel vulnerability? Or, was it some new vulnerability current kernels are susceptible to? Last I read, they logged in under a user account, then they got root access.
I was concerned about the fact that a high profile like kernel.org site was rooted, but knowing it didn't take a sophisticated and highly knowledgeable penetration team but just a group of bumbling script kiddies makes it all better.
If they were looking for something to steal, it would be easier to wait until the next release.
The fact that the servers were compromised in the the first place brings to question the ability of the administrators to lock down a system.
The first way: Haha, these skiddies didn't have what it takes to effectively hide their cracking.
The second way: Skiddies were able to crack kernel.org using automated cracking tools just Windows, no evil genius required.
AntiFA: An abbreviation for Anti First Amendment.
maybe they didn't, but maybe they did !! All Your Bases Are Belong To Us !!
they should run linux on their servers, it's more secure! oh wait... whoops. ho hum, i suppose it's no good saying that they should run a FreeBSD Bastion Server, is it?
This wouldn't have happened if they ran closed source Microsoft Windows Server :)
It's a joke guys kidding :P
Question, how would OpenBSD prevent them from getting into the server with compromised username and password? Or from running arbitrary code once they do so?
So they found the SSH Frontdoors, but did the admins find the rest?
Privacy is terrorism.
Now Linux is popular enough to have rootkits. This must be the year of Linux on the desktop.
Any details on the hack? What port did they use, for example? What service was compromised first?
And most importantly, they didn't find out the Kernel's secret 11 herbs and spices.
Or so they think.
If you have weak passwords, no OS is going to help you. The only thing that helps you there is something like DenyHosts or fail2ban. Not even OpenBSD prevents stupid.
Even the most inexperienced OpenBSD admins would know better than to use password-based authentication, and would instead choose one of the other, more secure, approaches. They'd also know how to set up their system such that a compromised user account could not cause widespread damage to the entire system. Furthermore, they'd know how to prevent privilege escalation. They'd also have much better intrusion prevention and detection measures in place.
I hate to admit it, but many of these basic concepts are far beyond even the best Linux admins.
after decades of bashing microsoft security, this story only exists to save face
so the live servers didn't have something running that checked the hash of the sources every, lets say, a day? why the hell not?
Yes, well everyone knows those kernel.org sysops are a bunch of pushover newbies. Im sure you can do way better with the scope and size of the systems they deal with.
I'd recommend Windows instead of OpenBSD. Sure Windows has had its problems in the past but now with Windows 7 and Norton it's practically impossible to hack my systems. Even the Lunix box I run feels safer when the Windows computer is on the network. I imagine it's the firewall in Windows 7 reaching out in to the network to protect all the computers in my office.
I've been supporting Lunix and Windows at the enterprise level for many years now. I think its finally time to move away from Lunix. Linus really needs to ask himself where he wants this to go? The kernal is hacked up, probably with viruses hidden in there (we can't be sure). Sorry, I have to say bye bye to Lunix.
...they were just script kiddies who knew one single method, and thought it would be cool to try it on kernel.org.
We need the copies of the source code to be on multiple/hundreds Write Once DVD media. Fact is even if you have a billion computers if they are all vulnerable to the same exploit or _an_ exploit .. it can be compromised in an automated fashion. The source needs to be periodically placed on DVDs.
...if I was in charge of damage control at kernel.org. Just sayin'.
Don't move to OpenBSD, improve Linux security instead.
You should read this article:
http://www.h-online.com/open/news/item/Kernel-org-gets-major-system-upgrades-1142346.html
If that description from late 2010 (less than a year ago!) is still accurate, there is almost no infrastructure at all. In case you refuse to read it for yourself, let me quote to you from it:
In total the kernel.org infrastructure uses 12 servers worldwide.
Unless you're a high school kid who has only ever managed a VPS instance running Linux for some shitty Ruby on Rails site, a mere 12 servers should seem like absolutely nothing to you. Most professional sysadmins will manage hundreds to even thousands of times that number of servers.
Is this a joke or are you completely clueless?
He's being funny, in case you can't tell.
Disturbingly they seem to have considered not wiping and reinstalling.
It appears that the chief kernel.org system administrator is so naive about security that he doesn't even realize the absolute necessity of a full wipe and reinstall after compromise of such an important site. It also appears that there was no routine booting from read only media to check system files and startup scripts for changes. And no daily rootkit scan. If it was me, I would trash the motherboard for fear of BIOS or other firmware contamination. Exploits living on the firmware of network cards and other places have been demonstrated.
I still haven't managed to figure out if the tarball you download from the main page has been compromised.. Yes GIT saved everybody and all, but they seem to not want to say anything about the front page tarball, makes me curious
Track IP - Remotely track the IP address of a machine via email or MySQL.
I'm curious, once inside an OpenBSD server as normal user, what rootkit would they use instead of Phalanx to elevate privileges? The OpenBSD teams has expended a lot of effort to combat such a thing.
This is why I never comment until the mods have had a chance to let me know whether I should be laughing.
but how about that "privilege escalation' business that Linux couldn't prevent?
oh boy, then we can have millions of DVD with compromised code on them that everyone thinks is the golden standard. you are a genius.
... (1) Linux can be said to be easier to hack than it is to install;
(2) The above can be said by the least qualified Linux user and still be accurate;
(3) The above can be said by the least qualified computer user in general and still be accurate (unless it has somehow come to pass that "script kiddy" no longer refers to a talentless point and clicker).
Even an old-timey, blood and guts, clap you on the back and shove a cigar in your mouth, promise you the corner office in exchange for your soul, fuck your wife on Saturdays businessman will now look at Linux as a ridiculous option and no longer be a blatant asshat.
Yeah, they damn well ahould play it down. What else can they do, now?
Luckily not too many companies still make IT decisions based on the combined input of J.R. From "Dallas" and Boss Hogg of "Hazzard". Still, it's funny (as in the laughter of demons) to me that Linux got kicked in the nuts. Stop standing around spread-legged, fists on your hips, in crotchless pants saying your nuts can't be kicked!
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Thats the interesting one, hopefully we will get full details about that one soon.
So when you find a backdoored SSH and a Linux rootkit on your server you might only be seeing the tools from one team who got lucky.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
It is bad, but there is a mitigation. It requires two steps in stead of just one to get root access. Given the fact that you usually try to layer your security and have logging/accounting and tripwire type of alarms set up, you have a bigger chance of catching intruders before they get access to anything really dangerous.
If you admin thousands of systems, used by many more users, you will get compromised accounts, on a fairly regular base. Those accounts in general will be used to try and get root access. By setting up logging, accounting and various other tools, you tend to get a lot of the compromised accounts to trigger an alarm before they get root, or run their code as user. With remote root vulnerabilities, you get none.
Any privilege escalation is something to be serious about, but crying wolf that local exploits are just as bad as remote, will make less people take you serious.
I was promised a flying car. Where is my flying car?
If you are posting the seminal Trusting Trust, you should also post Countering Trusting Trust to balance it. It is possible to escape the trojaned compiler problem through the use of double diverse compilation.
The source code for the Linux kernel was probably stolen. Expect it to appear on wikileaks soon!
http://www.edithex.com/
The cloud is really good for some things...
Another thread about the $200 PC complained about an optical drive. At least if I have a DVD of a known, good kernel I can work from there.
With Chkrootkit having seen its last update sometime 2009 and RK Hunter also being on the backburner, how does one even check these days for rootkits and other nasties like it? Suggestions?
Still could be some dumbass with sudo, either set to use the same (weak) password, or they were logging in directly as root (which I sure hope not, but see above about fixing stupid).
The major distributions are safe but some doofus at somewhere like Cisco or Belkin (or more likely their Chinese contractor) may have obliviously downloaded a compromised tarball and shipped it on a million routers.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Let this be a lesson that there is no such thing as a "safe" operating system. I find it rather amusing that they're downplaying this breach instead of really questioning how one would unknowingly hack kernel.org, which should have been sufficiently protected given the material it hosts.
My desktop linux installation probably has more than 12 servers and a number of daemons too!
Look at the page source of the "We are returning soon" page.
They just must be kidding.
The page consists of one single line with a big text.
They used an:
- windows-only
- freeware
- outdated
- WYSIWYG in a very loose meaning
"editor"
which produced an
- HTML 3.2 sourcecode
with
- FONT tags
What the ....?
Thanks for correcting me!
'the firewall in Windows 7 reaching out in to the network' part was hilarious.
Read radical news here
its a joke, i can tell by the pixels, as i have seen a few jokes in my day
that and they knew who linus was, but spelled linux, "lunix" 4 times
warning pointless sig
Kernel.org says they encrypt the modifications well, and that any changes to source code that would have been made (old or new) will not go unnoticed. I don't know how true it is, but I'm willing to bet it's highly unlikely this group would have done anything, probably just looking for bragging rights like the guy who hacked Sarah Pailin's email. He just used known info about her to reset her password and he got jailtime for it. I think it's safe to say that if anything serious had happened, they would have been smart enough to remove the rootkit after setting up the SSH backdoors, allowing them to go unnoticed. They probably didn't know what to do with the site after they hacked into it and were caught before they could come up with something "script kiddie" to do.
So, why didn't the system:
1. Wait one second between login attempts? It would have stretched out the 32k tries significantly.
2. Rooting should at least send an SMS message back to the owner for an authorization code, or request a key off a one-time pad. See what gmail does.
3. Why weren't the login attempts logged and flagged and reported?
4. Scan itself and flag significant or specific changes?