Linux kernel.org Hacker Arrested After Traffic Stop

Use Netsparker


So it seems the alleged kernel.org hacker has finally been caught, kinda by accident after being stopped for a traffic violation. It was quite a high profile hack, especially in the open source community as anyone downloading kernel files during that period could have theoretically been compromised.

Linux kernel.org Hacker Arrested After Traffic Stop

It’s unlikely the kernel code was actually tampered with due to the hashes for each file being distributed widely, but still – it had people rumbled.

A man who allegedly hacked the Linux Kernel Organization’s kernel.org and the Linux Foundation’s servers has been collared by cops.

Donald Ryan Austin, 27, of El Portal, Florida, will appear in court in San Francisco later this month. He is accused of four counts of “intentional transmission causing damage to a protected computer.” The charges were filed in absentia against Austin.

It is alleged his hacking spree forced the two Linux groups to shut down completely to clean up a malware infection. Austin was stopped on Thursday this week by police in Miami Shores for a traffic offense – and was arrested when he identified himself.

Court documents [PDF] claim that in 2011, Austin managed to steal the credentials of one of the Linux server admins and used these to install the Phalanx malware, a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a TTY program.


It’s still a pretty hardcore compromise though the reasons for it never seem to have surfaced, nor the in-depth post-mortem kernel.org folks promised to publish.

It’s also a little odd such a technical compromise used off the shelf tools that could easily be detected and identified (Phalanx and Ebury).

Using Phalanx, he is also accused of installing the Ebury trojan, which is designed for Linux, FreeBSD or Solaris hacking, onto numerous servers run by the groups. This harvested login credentials of people using the servers and forwarded them to the attacker.

Austin’s goal, according to the prosecution, was to “gain access to the software distributed through the www.kernel.org website,” presumably to tamper with it. He is also accused of leaving messages on the system for others to find, and of hacking the personal email server of one member of the Linux Foundation.

Some of the Linux servers were offline for almost a month, while administrators picked over files to make sure that the attacker hadn’t left any more nasty surprises in there. It took over five years of sleuthing to find out who could have been responsible, and now the Feds think they have their man.

Austin was released from jail on payment of $50,000 in bail money, and will have to appear in court in San Francisco at 09:30 on September 21 before the Honorable Sallie Kim. If found guilty, he faces a possible sentence of 40 years in prison and $2m in fines.

As usual with these type of cyber-crimes cases in the US, they are VERY strict and the maximum sentence is 40 years in prison plus a $2 Million fine.

A little harsh for something that was non-commercial and didn’t seem to do any long term damage. We will have to wait for the actual sentencing on Sept 21st to see what happens next.

Source: The Register

Posted in: Linux Hacking, Malware


Latest Posts:


CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.
MyEtherWallet DNS Hack Causes 17 Million USD User Loss MyEtherWallet DNS Hack Causes 17 Million USD User Loss
Big news in the crypto scene this week was that the MyEtherWallet DNS Hack that occured managed to collect about $17 Million USD worth of Ethereum in just a few hours.


One Response to Linux kernel.org Hacker Arrested After Traffic Stop

  1. ic34xe September 8, 2016 at 6:25 pm #

    its because of fear in the us they thrive by fear and are quite pathetic in regards to long sentences sad f e ck ers cant believe a hack would be worse than killing someone in a drunken collision but wait if you have dollar thats ok you can buy your way out or at least to a house arrest!

    only reason they are chasing hackers hard because they got exposed by their own lame ass processes, deserve everything they get!