View full post on Job Central computer AND security in West Virginia

Kernel.org announced that it was compromised sometime earlier this month [1]. The compromise was discovered on Aug. 28th. At this point, the assumption is that the attacker obtained valid user credentials, and then escalated privileged to become root. The exact nature of the privilege escalation is not known so far.
At this point, malicious changes to OpenSSH were discovered. OpenSSH, which is hosted on kernel.org, was modified to log user actions. The modifications were made to the startup scripts. Based on the note at kernel.org, it appears the investigation is ongoing and not all details have been uncovered yet.
What should you do?
If you downloaded code from kernel.org within the last 30 days, please double check that you didn’t get a trojaned copy, in particular if this code affected the OpenSSH client or server. Also, if you patched OpenSSH recently from another source: Double check. it is possible that this other source got its files from kernel.org during the time it was compromised.
For more details, see the note on kernel.org.
[1] http://kernel.org
——

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green