Re: status: hints on how to check your machine forintrusion

From: Greg KH
Date: Sat Oct 01 2011 - 10:29:11 EST

On Sat, Oct 01, 2011 at 09:17:51AM -0500, akwatts@xxxxxxxxx wrote:
> Greg, many thanks for providing these helpful hints for assessing
> system integrity.
> On Fri, Sep 30, 2011 at 04:59:24PM -0700, Greg KH wrote:
> > The compromise of and related machines has made it clear that
> > some developers, at least, have had their systems penetrated. As we
> > seek to secure our infrastructure, it is imperative that nobody falls
> > victim to the belief that it cannot happen to them. We all need to
> > check our systems for intrusions. Here are some helpful hints as
> > proposed by a number of developers on how to check to see if your Linux
> > machine might be infected with something:
> I understand that git repos are protected from ex-post tampering by a
> rolling sha-1 hash. However, is it possible that code submissions were
> faked during the intrusion window and pulled by legitimate subsystem
> or system managers?
> The intrusion on has been dated as potentially weeks
> before 8/28 which means many tarballs (that common users rely on more
> than git) were posted after that.
> Can we confirm a few things?

At this time, we are unable to discuss the events that took place due
to an ongoing investigation into the matter. After that is complete, I
will be working to provide a report of what happened, but that will take
some time.

When and come back up, the kernels on them
will have been checked to be verified to be correct. Everyone involved
is working as hard as they can to make that happen as soon as is

> c) can someone with verifiably clean code (i.e. not just downloads from
> post checksums (md5,sha1,rmd160) for official tarball
> releases since say 3/2011 (both full kernel and patches)?

You can do this today yourself from Linus's git tree if you want to,
it's very easy to script. Just watch out for the fact that gzip puts
dates into the header, so you need to check the .tar file, not the
compressed ones.

thanks for your patience,

greg k-h
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at