[conspire] Important: Security Breach on Linux.com, LinuxFoundation.org

Edward Mokurai Cherlin mokurai at sugarlabs.org
Tue Sep 13 09:17:17 PDT 2011 

[sigh] Seems like every time you turn around.

http://www.linuxfoundation.org/
Linux Foundation infrastructure including LinuxFoundation.org,
Linux.com, and their subdomains are down for maintenance due to a
security breach that was discovered on September 8, 2011. The Linux
Foundation made this decision in the interest of extreme caution and
security best practices. We believe this breach was connected to the
intrusion on kernel.org.

Kernel.org says only, "Down for maintenance." Here is a cached page from Google.

http://webcache.googleusercontent.com/search?q=cache:J5mGiQiPQtcJ:www.kernel.org/+site:kernel.org&cd=4&hl=en&ct=clnk&gl=us&lr=lang_en%7Clang_es&client=firefox-a

Security breach on kernel.org

Earlier this month, a number of servers in the kernel.org
infrastructure were compromised. We discovered this August 28th. While
we currently believe that the source code repositories were
unaffected, we are in the process of verifying this and taking steps
to enhance security across the kernel.org infrastructure.


What happened?


    Intruders gained root access on the server Hera. We believe they
may have gained this access via a compromised user credential; how
they managed to exploit that to root access is currently unknown and
is being investigated.
    Files belonging to ssh (openssh, openssh-server and
openssh-clients) were modified and running live.
    A trojan startup file was added to the system start up scripts
    User interactions were logged, as well as some exploit code. We
have retained this for now.
    Trojan initially discovered due to the Xnest /dev/mem error
message w/o Xnest installed; have been seen on other systems. It is
unclear if systems that exhibit this message are susceptible,
compromised or not. If developers see this, and you don't have Xnest
installed, please investigate.
    It *appears* that 3.1-rc2 might have blocked the exploit injector,
we don't know if this is intentional or a side affect of another
bugfix or change.


On Sun, September 11, 2011 9:45 am, The Linux Foundation wrote:
> Attention Linux.com and LinuxFoundation.org users,
>
> We are writing you because you have an account on Linux.com,
> LinuxFoundation.org, or one of the subdomains associated with these
> domains.
> On September 8, 2011, we discovered a security breach that may have
> compromised your username, password, email address and other information
> you
> have given to us. We believe this breach was connected to the intrusion on
> kernel.org.
>
> As with any intrusion and as a matter of caution, you should consider the
> passwords and SSH keys that you have used on these sites compromised. If
> you
> have reused these passwords on other sites, please change them
> immediately.
> We are currently auditing all systems and will update public statements
> when
> we have more information.
>
> We have taken all Linux Foundation servers offline to do complete
> re-installs. Linux Foundation services will be put back up as they become
> available. We are working around the clock to expedite this process and
> are
> working with authorities in the United States and in Europe to assist with
> the investigation.
>
> The Linux Foundation takes the security of its infrastructure and that of
> its members extremely seriously and are pursuing all avenues to
> investigate
> this attack and prevent future ones. We apologize for this inconvenience
> and
> will communicate updates as we have them.
>
> Please contact us at info at linuxfoundation.org with questions about this
> matter.
>
> The Linux Foundation

Headers:

Return-path: <info at linuxfoundation.org >
Envelope-to: mokurai at earthtreasury.org
Delivery-date: Sun, 11 Sep 2011 09:46:07 -0400
Received: from bosimpinc01.eigbox.net ([10.20.13.1])
     by bosmailscan17.eigbox.net with esmtp (Exim)
     id 1R2kMJ-0000sC-9M
     for mokurai at earthtreasury.org ; Sun, 11 Sep 2011 09:46:07 -0400
Received: from smtp1.linux-foundation.org ([140.211.169.30])
     by bosimpinc01.eigbox.net with NO UCE
     id XRm01h00l0fhhjg09Rm0Wg; Sun, 11 Sep 2011 09:46:07 -0400
X-EN-OrigIP: 140.211.169.30
X-EN-IMPSID: XRm01h00l0fhhjg09Rm0Wg
Received: by smtp1.linux-foundation.org (Postfix, from userid 0)
     id 45B6A1A86; Sun, 11 Sep 2011 13:45:35 +0000 (UTC)
From: The Linux Foundation <info at linuxfoundation.org >
To: Mokurai at earthtreasury.org
Subject: Important: Security Breach on Linux.com, LinuxFoundation.org
Message-Id: <20110911134535.45B6A1A86 at smtp1.linux-foundation.org>
Date: Sun, 11 Sep 2011 13:45:35 +0000 (UTC)

-- 
Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.
http://wiki.sugarlabs.org/go/Replacing_Textbooks

More information about the conspire mailing list