Hackers have broken into the online home of open-source operating system Linux, Kernel.org, compromising "a number of servers in the kernel.org infrastructure," according to a note posted on the website today.
Site administrators realised they'd been hacked on Sunday, and soon after discovered that a malicious Trojan had been inserted into the startup scripts of a key server, Hera. User data from the site had also been logged.
Law enforcement agencies in Europe and the US have been contacted, say the site's owners. It is believed that the hackers stole a user's login details to gain access, and the site's owners are forcing all of its 448 users to change their passwords and SSH (Secure Shell) keys.
The hack is particularly significant because Kernel.org is the place where Linux distributors download the source code for the operating system's kernel - though administrators were keen to point out that Linux's change-tracking system - a cryptographically secure 'hash' of each of the 40,000 files hosted on the site - cannot be tampered with without being quickly spotted. .
"Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org," the site's owners said in a statement. "Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily."
The intrusion is a somewhat unwelcome way for the open-source OS to enter into its third decade. A week ago, it celebrated the 20th anniversary of its creation by Finnish software engineer Linus Torvalds in 1991.