Kernel.org servers infected with backdoors for two years from 2009 (opens in new tab)

(arstechnica.com)

139 pointsyau8edq12i2y ago11 comments

11 comments

9 comments · 2 top-level

sixhobbits2y ago· 5 in thread

> Maintainers reneged on a promise[0] to provide an autopsy of the hack, a decision that has limited the public’s understanding of the incident.

[0] https://arstechnica.com/information-technology/2013/09/who-r...

This bit makes it sound like 3 letter agencies were involved?

costco2y ago

This was in the news a while ago. It was a guy in his 20s in Miami: https://regmedia.co.uk/2016/09/02/linux_hack.pdf.

Who is also in the Panama Papers... https://offshoreleaks.icij.org/nodes/12097929

rurban2y ago

But they were talking about the GoDaddy hack with Ebury, and Austin was only kernel.org, linux foundation and probably apache.org.

So who was GoDaddy? Not NSA for sure. They call it the Ebury group and they do have some hints

1 more reply

deeth_starr_v2y ago

Or someone famous and thin skinned was involved? That’s where my mind went

halJordan2y ago

Why on earth jump to the most outrageous conspiracy? That's an absurd leap.

ElectricBoogie2y ago

AHEM... opsec fail.

skilled2y ago· 2 in thread

The title is quite clickbaity I think, because of this:

> Occurred no later than August 12, 2011, and wasn't detected for another 17 days

which also had a discussion on HN in 2013:

Who rooted kernel.org servers two years ago? (https://news.ycombinator.com/item?id=6438326) - Sep 2013 (45 comments)

The article from ESET is here,

Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain (https://www.welivesecurity.com/en/eset-research/ebury-alive-...) - May 2024

but the article itself only serves as an introduction to the PDF:

https://web-assets.esetstatic.com/wls/en/papers/white-papers...

rezonant2y ago

What's new (versus when the story broke years ago) is:

> A 47-page report summarizing Ebury's 15-year history said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised.

I think you grok that, but I don't think the title is clickbait.

yjftsjthsd-h2y ago

I read the arstechnica post and didn't grok that at all; thanks for explaining. I spent the whole article wondering what prompted them to report on something that happened over a decade ago now.

1 more reply

j / k navigate · click thread line to collapse

11 comments

9 comments · 2 top-level

sixhobbits2y ago· 5 in thread

> Maintainers reneged on a promise[0] to provide an autopsy of the hack, a decision that has limited the public’s understanding of the incident.

[0] https://arstechnica.com/information-technology/2013/09/who-r...

This bit makes it sound like 3 letter agencies were involved?

costco2y ago

This was in the news a while ago. It was a guy in his 20s in Miami: https://regmedia.co.uk/2016/09/02/linux_hack.pdf.

Who is also in the Panama Papers... https://offshoreleaks.icij.org/nodes/12097929

rurban2y ago

But they were talking about the GoDaddy hack with Ebury, and Austin was only kernel.org, linux foundation and probably apache.org.

So who was GoDaddy? Not NSA for sure. They call it the Ebury group and they do have some hints

1 more reply

deeth_starr_v2y ago

Or someone famous and thin skinned was involved? That’s where my mind went

halJordan2y ago

Why on earth jump to the most outrageous conspiracy? That's an absurd leap.

ElectricBoogie2y ago

AHEM... opsec fail.

skilled2y ago· 2 in thread

The title is quite clickbaity I think, because of this:

> Occurred no later than August 12, 2011, and wasn't detected for another 17 days

which also had a discussion on HN in 2013:

Who rooted kernel.org servers two years ago? (https://news.ycombinator.com/item?id=6438326) - Sep 2013 (45 comments)

The article from ESET is here,

Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain (https://www.welivesecurity.com/en/eset-research/ebury-alive-...) - May 2024

but the article itself only serves as an introduction to the PDF:

https://web-assets.esetstatic.com/wls/en/papers/white-papers...

rezonant2y ago

What's new (versus when the story broke years ago) is:

I think you grok that, but I don't think the title is clickbait.

yjftsjthsd-h2y ago

I read the arstechnica post and didn't grok that at all; thanks for explaining. I spent the whole article wondering what prompted them to report on something that happened over a decade ago now.

1 more reply

j / k navigate · click thread line to collapse