A week after uncovering malware on several key kernel.org servers, the Linux Foundation has taken other key Websites, including Linux.com, offline for a complete reinstall.
Linux.com, LinuxFoundation.org and all sub-domains associated with these sites were taken offline after administrators discovered „a security breach“ on Sept. 8, according to an email sent to all registered members of the sites on Sept. 11. The servers will be completely reinstalled and will be back online „as they become available,“ Linux Foundation wrote.
This information was also posted on a holding page on all the affected sites.
The username, password, email address and „other information“ provided by users registered with the sites may have been stolen, according to the disclosure email. Any passwords or SSH keys used on those sites should be considered compromised, and the foundation recommended that if any of the passwords had been reused elsewhere, that users should change them immediately.
„We believe this breach was connected to the intrusion on kernel.org,“ Linux Foundation said in the email.
Linux Organization officials discovered on Aug. 28 that attackers had installed a Trojan and opened a backdoor into kernel.org servers on Aug. 12. The attackers had logged user activity and modified the OpenSSH client and server software installed on the compromised server, but had not gained access to the Linux kernel source code or other applications. The Trojan discovered on kernel.org was based on an „off-the-shelf“ rootkit called Phalanx.
The security breach is not just about information theft as it involves a malware compromise, Paul Ducklin, head of technology for the Asia Pacific group at Sophos, wrote on the Naked Security blog. „If a server is ‚owned‘ by malware, even the login process should be considered untrustworthy,“ Ducklin wrote, noting that malware could steal passwords directly from memory at the time of the actual login by a user.
The pattern of activity by the intruders on kernel.org led observers to speculate that the attackers did not really understand the significance of the servers they’d breached and were unable to capitalize on the attack. If the latest breaches are related to kernel.org and had occurred around the same time, the attacks appear to be even more widespread than originally thought.
These breaches have no impact on the Linux kernel or any other projects‘ source codes as none of the compromised sites are related to software development. The Linux Foundation is a not-for-profit organization which funds Linux development so that the developers remain independent of any particular vendor or commercial group. Linux.com is the news, information and community site for people interested in the operating system and LinuxFoundation.org provides information on the foundation’s activities. The sub-domains, such as the Linux Developer Network and the video site, are also used for disseminating information.
The latest incident on Linux servers may actually make Linux supporters take a serious look at Linux malware and security in general, Ducklin said. It will also likely force people who continue to perceive the operating system as a „hobby product“ as being a legitimate product, since „why else would kernel.org be in the sights of cyber-crooks?“ Ducklin wrote.
„Whilst Linux malware is not new, this is probably the closest it has ever come to the heart of their beloved operating system,“ Ducklin wrote.
Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.
We are in the process of restoring services in a secure manner as quickly as possible. As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately. We are currently auditing all systems and will update this statement when we have more information.
We apologize for the inconvenience. We are taking this matter seriously and appreciate your patience. The Linux Foundation infrastructure houses a variety of services and programs including Linux.com, Open Printing, Linux Mark, Linux Foundation events and others, but does not include the Linux kernel or its code repositories.
Please contact us at email@example.com with questions about this matter.
The Linux Foundation
We want to thank you for your questions and your support. We hope this FAQ can help address some of your inquiries.
Q: When will Linux Foundation services, such as events, training and Linux.com be back online?
Our team is working around the clock to restore these important services. We are working with authorities and exercising both extreme caution and diligence. Services will begin coming back online in the coming days and will keep you informed every step of the way.
Q: Were passwords stored in plaintext?
The Linux Foundation does not store passwords in plaintext. However an attacker with access to stored password would have direct access to conduct a brute force attack. An in-depth analysis of direct-access brute forcing, as it relates to password strength, can be read at http://www.schneier.com/blog/archives/2007/01/choosing_secure.html. We encourage you to use extreme caution, as is the case in any security breach, and discontinue the use of that password if you re-use it across other sites.
Q: Does my Linux.com email address work?
Yes, Linux.com email addresses are working and safe to use.
Q: What do you know about the source of the attack?
We are aggressively investigating the source of the attack. Unfortunately, we can’t elaborate on this for the time being.
Q: Is there anything I can do to help?
We want to thank everyone who has expressed their support while we address this breach. We ask you to be patient as we do everything possible to restore services as quickly as possible.