Not good
If you are using to log onto your server please make certain they have pass phrases built in.
The U.S. Computer Emergency Readiness Team () has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.
The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “″ is installed, US-CERT said in a note on its current activity site.
From the advisory:
Phalanx2 appears to be a derivative of an older named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.
Phalanx, which dates back to 2005, is a self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
Details on the attacks — and targets — remain scarce but it’s a safe bet this is linked to the Debian random number generator flaw that surfaced earlier this year. A working exploit for that vulnerability is publicly available.
To mitigate the risk from this attack, US-CERT recommends:
- Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have or.
- Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
- Review access paths to internet facing systems and ensure that systems are fully patched.
via ZDNet
[tags]server security,Linux[/tags]
Pingback from Recent Links Tagged With “rootkit” - JabberTags
Time: 9/21/2008, 7:34 pm
[...] public links >> rootkit Not good Saved by aputech on Sat 20-9-2008 Linux Under Attack: Compromised SSH Keys Lead To Rootkit Saved [...]