|
|
Entry was gained via a machine that goes by the name of Hera.
The breach was discovered on August 28 and, while the kernel team believes the source code repositories were not affected, investigations are underway to check and also to bolster security across the project infrastructure.
Update, September 1, 1.35pm AEST: The British technology news site, The Register, reports that the intrusion went undetected for 17 days. This is based on an email it obtained which was sent to developers by John Hawley, the chief sysadmin of kernel.org.
The breach is believed to have occurred via a compromised user credential; how the attacker or attackers used that to gain superuser status is not yet known.
The attacker(s) had modified ssh files (openssh, openssh-server and openssh-clients) and these were running. In addition, a trojan startup file had been added to the startup scripts on Hera.
The kernel team has logged user interactions as well as some exploit code.
The trojan was initially discovered due to error messages apparently coming from a package, xnest, that was not installed; if similar behaviour was observed elsewhere developers were advised to investigate. However the presence of such messages did not make it clear that the machine was compromised, susceptible or not.
