Popular Linux distribution Gentoo has been hacked, with the company warning that its GitHub repository should be “considered compromised.” Unknown hackers took control of the GitHub account earlier this week, on June 28, and modified both pages and the OS data there.
GitHub is a web-based hosting service, used by many thousands of projects to host their code. It’s often used as a version control system, with several iterations of software still preserved online. GitHub made headlines earlier this month, when Microsoft announced it would spend $7.5bn to acquire the company.
It took the Gentoo Foundation team two hours to regain support of the account on GitHub, but even then it warned that the code saved there was still to be considered suspect. Work continues to identify the modified code and malicious comments, and restore it to the correct version. Meanwhile, the compromised account used for the hack has been traced and locked out.
A number of malicious code changes have been spotted already
Hacks typically are done either to simply destroy, or to plant something nefarious: in this case, it seems like the latter was the goal. According to Francisco Blas Izquierdo Riera, of the Gentoo Foundation developer team, some of the added code was apparently intended to delete files from a system unwittingly running it.
“I just want to notify that an attacker has taken control of the Gentoo organization in Github and has among other things replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files,” he wrote on the mailing list. “Whilst the malicious code shouldn’t work as is and GitHub has now removed the organization, please don’t use any ebuild from the GitHub mirror obtained before 28/06/2018, 18:00 GMT until new warning.”
This was a mirror, not the original
Helping immensely in the recovery process is that fact that Gentoo was using its GitHub presence to offer a mirror of the OS, not the master. “This does NOT affect any code hosted on the Gentoo infrastructure,” the company made clear on Thursday. “Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.”
That main repository is safe, and unaffected by the GitHub incident. Of course, if you’ve used the GitHub version of Gentoo to add components to your OS, you could well have inadvertently created yourself a compromised install. The recommendation there is to remove the potentially tampered code, and then fetch it again, only this time from the master repository rather than GitHub.
If you built from GitHub from scratch, it’s time to go nuclear
Those who happened to build a whole install of Gentoo from GitHub may very well want to take the scorched-earth approach. After all bootstrapping a whole new build from the Gentoo master repository is a sure-fire way to avoid any potential modifications or exploits that are yet to be identified in the compromised code.
It’s worth noting that all of the changes made to that main Gentoo repository can be verified as legitimate, as they are digitally signed. Those looking to build from the repository should be checking that digital signature before they entrust their system to it.