Re: status: hints on how to check your machine forintrusion

From: akwatts
Date: Sat Oct 01 2011 - 10:23:51 EST

Greg, many thanks for providing these helpful hints for assessing
system integrity.

On Fri, Sep 30, 2011 at 04:59:24PM -0700, Greg KH wrote:
> The compromise of and related machines has made it clear that
> some developers, at least, have had their systems penetrated. As we
> seek to secure our infrastructure, it is imperative that nobody falls
> victim to the belief that it cannot happen to them. We all need to
> check our systems for intrusions. Here are some helpful hints as
> proposed by a number of developers on how to check to see if your Linux
> machine might be infected with something:

I understand that git repos are protected from ex-post tampering by a
rolling sha-1 hash. However, is it possible that code submissions were
faked during the intrusion window and pulled by legitimate subsystem
or system managers?

The intrusion on has been dated as potentially weeks
before 8/28 which means many tarballs (that common users rely on more
than git) were posted after that.

Can we confirm a few things?

a) do we know have a better estimate on the date of the initial breach?
b) is there any chance that the signing key (517D0F0E) was compromised?
c) can someone with verifiably clean code (i.e. not just downloads from post checksums (md5,sha1,rmd160) for official tarball
releases since say 3/2011 (both full kernel and patches)?

Many thanks.

~ Andy

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at