Linux Hack: Check for Malware

Thursday, October 6, 2011 @ 02:10 PM gHale


Check Linux machines for signs of compromise, were the words from project leaders following series of attacks against the servers of the popular open-source operating system.

Emails sent late last week by Linux kernel lead developers Greg Kroah-Hartman and H Peter Anvin arrived as volunteers with the open-source project worked to bring LinuxFoundation.org, Linux.com, and Kernel.org back online following attacks that gained root access to the multiple servers that host the sites.

RELATED STORIES
More Linux Attacks
Linux Source Code Compromised
Compromised Sites Distributing Trojan
A Trojan Distribution Network

Among other things, project leaders are requiring all developers to regenerate the cryptographic keys used to upload source code to the site, and to ensure their systems are free of rootkits and other types of malware.

“The compromise of kernel.org and related machines has made it clear that some developers, at least, have had their systems penetrated,” Kroah-Hartman said. “As we seek to secure our infrastructure, it is imperative that nobody falls victim to the belief that it cannot happen to them. We all need to check our systems for intrusion.”

He went on to advise developers to follow seven steps to see if their systems have been targeted, including running chkrootkit, a rootkit detection application for Linux machines. A separate email sent by Anvin laid out the process for regenerating a new set of RSA keys after the old ones suffered a compromise in the attacks.

This hygiene lesson comes as kernel.org and linuxfoundation.org came back online on Monday after an outage that lasted at least three weeks. The homepage of the related linux.com said the website remained down for maintenance and would come back soon.

Kernel.org shut down following the discovery in late August the personal machine used by Anvin and kernel.org servers known as Hera and Odin1 suffered infection by malware that gained root access. The Trojan sat undetected for at least 17 days before anyone discovered it August 28.

A week later, project leaders took linux.com and linuxfoundation.org offline after detecting those systems also suffered a compromise.



Leave a Reply

You must be logged in to post a comment.