Kernel.org, a site that distributes Linux source kernels, has suffered a breach of security according to a leaked email by Chief Administrator John Hawley. It is believed multiple infected servers were compromised as early as 12th Aug 2011 and the breaches were discovered on 28th Aug 2011.
Kernel.org released a statement confirming intruders had gained root access to at least one server. The intruders reportedly gained access to the server with compromised user credentials, but it is not known how they obtained root access from there.
Files belonging to SSH were modified and running live. A Trojan was also added to the start-up scripts and all user interactions were logged, possibly compromising usernames and passwords.
The infected servers have been taken offline with backups made pending further investigation and full analysis on the code in Git. All servers will have full reinstalls and the respective authorities in Europe and the United States have been notified.
One major advantage in the case of Kernel.org vis-a-vis typical software repositories is that the Git version control system is used to manage the entire development lifecycle of kernel packages. Each version of every package has its own cryptographically secure SHA-1 hash calculated, which changes as the package does. This creates a development history for each package, making it impossible to introduce changes without them being noticed.
Kernel.org is working with the 448 users of kernel.org to change their credentials and change their SSH keys. They are also carrying out a full audit on security policies to make kernel.org more secure. Kernel.org has assured their users and the public that they are pursuing all avenues to find the attackers and prevent future infiltrations.
To read the full announcement from Kernel.org, please click here.