Kernel.org, a site that distributes Linux source kernels, has suffered a breach of security according to a leaked email by Chief Administrator John Hawley. First noticed on August 28, it's believed multiple infected servers sat undetected for 17 days.
Shortly after the leaked email went public, Kernel.org released a statement confirming intruders had gained root access to at least one server. The intruders reportedly gained access to the server with compromised user credentials, but it's unknown how they obtained root access from there.
Files belonging to SSH were modified and running live. A Trojan was also added to the start-up scripts and all user interactions were logged, possibly compromising usernames and passwords.
The infected servers have been taken offline with backups made pending further investigation and full analysis on the code in Git. All servers will have full reinstalls and the respective authorities in Europe and the United States have been notified.
One major advantage in the case of Kernel.org is that the Git version control system is used to manage the entire development lifecycle of kernel packages. Each version of every package has its own cryptographically secure SHA-1 hash calculated, which changes as the package does. This creates a development history for each package, making it impossible to introduce changes without them being noticed.
Many will consider this attack to be a serious problem, but Kernel.org moved quickly to reassure everyone that repositories remained unaffected and they are working closely with the hundreds of users of kernel.org to change passwords and SSH keys.
They are also going to audit all security policies and make improvements if required to ensure this is a onetime event. The site was keen to note that it takes security seriously and is pursuing all avenues to find the attackers and prevent future infiltrations