How about the long overdue autopsy on the August 2011 kernel.org compromise?

Posted Nov 22, 2015 16:28 UTC (Sun) by rickmoen (subscriber, #6943)
In reply to: How about the long overdue autopsy on the August 2011 kernel.org compromise? by spender
Parent article: A new Mindcraft moment?

Thanks for your comments, Brad.

I'd been relying on Dan Goodin's claim of Phalanx being what was used to gain root, in the bit where he cited 'two security researchers who were briefed on the breach' to that effect. Goodin also elaborated: 'Fellow security researcher Dan Rosenberg said he was also briefed that the attackers used Phalanx to compromise the kernel.org machines.' This was the first time I've heard of a rootkit being claimed to be bundled with an attack tool, and I noted that oddity in my posting to SVLUG.

That having been said, yeah, the Phalanx README doesn't specifically claim this, so then maybe Goodin and his several 'security researcher' sources blew that detail, and nobody but kernel.org insiders yet knows the escalation path used to gain root.

Also, it's preferable to use live memory acquisition prior to powering off the system, otherwise you lose out on memory-resident artifacts that you can perform forensics on.

Arguable, but a tradeoff; you can poke the compromised live system for state data, but with the drawback of leaving your system running under hostile control. I was always taught that, on balance, it's better to pull power to end the intrusion.

Rick Moen
rick@linuxmafia.com