Linux under attack: compromised SSH keys lead to rootkit

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls "active attacks" against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2″ is installed, US-CERT said in a note on its current activity site.

Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Phalanx, which dates back to 2005, is a self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Link: More at ZDNet

Report a problem with article
Previous Story

Klausner Sues Google and Verizon for Visual Voicemail

Next Story

Impulse - Phase II

15 Comments

I would hope that more than an SSH login would stand in the way of unauthorized access to a production server from the Internet. . .

Well, a stolen SSH key gets you in the front door. The real problem here is admins who don't secure their system with updates. The intruders rely on outdated kernel present to use an exploit and install the phalanx2 rootkit.

When people think that "Security" is a product like Linux or OpenBSD or Vista that they just install and "are secure", they have fallen into an awful pit of hubris.

(markjensen said @ #1.1)
Well, a stolen SSH key gets you in the front door. The real problem here is admins who don't secure their system with updates. The intruders rely on outdated kernel present to use an exploit and install the phalanx2 rootkit.

When people think that "Security" is a product like Linux or OpenBSD or Vista that they just install and "are secure", they have fallen into an awful pit of hubris.

Personally I would prefer to obfuscate the login process at least, or provide several tiers of security. . It would not completely prevent the possibility of unauthorized access, but it certainly places the bar a bit higher.

Besides, this article stinks of "Linucks ain't prefect!!1". Captain Obvious is still kicking around somewhere I guess.

(Divide Overflow said @ #1.2)
...
Besides, this article stinks of "Linucks ain't prefect!!1". Captain Obvious is still kicking around somewhere I guess.
I think that these incompetent admins that think "I'll install Linux and be secure without ever having to pay attention or update" need Captain Obvious to come around and kick their collective asses.

Like I have said throughout my posting history here on Neowin, "Security is a process not a product."

Linux isn't perfect, we get that. But Windows, my good sir, isn't perfect either. Hell, neither is Mac... No application/OS will EVER be 100% save, hate to burst your bubble.

OH NOES! That must be lies. Linux is UNBREAKABLE secure.

self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Maybe there is some mistake? Such hell machine could not possibly exist for linux. Voices are telling me not to belive it.. Linux is secure, Linux is secure, Linux is secure, Linux is secure...

(RealFduch said @ #4)
OH NOES! That must be lies. Linux is UNBREAKABLE secure.

Maybe there is some mistake? Such hell machine could not possibly exist for linux. Voices are telling me not to belive it.. Linux is secure, Linux is secure, Linux is secure, Linux is secure...

You forgot to take your little penguin-shaped pill again, didn't you?

(Airlink said @ #4.1)

You forgot to take your little penguin-shaped pill again, didn't you?
You forgot to wear your glasses while reading again, didn't you? Surely you missed the sarcasm oozing from RealFduch's post.

Post x1:
*somthing from linux fanboys*

Post x2:
*somthing from MS fanboys*

Post x3:
*somthing from Apple fanboys*

Post x4:
*something stupid about don't caring about pc's and computers from stupid console fanboys*


All OS have bugs, so don't be blind fanboys guys and girls.

Choose from the following standardised comments:

Well, you Gates slaves stick with your bug-riddled crash-tastic Windows set-up if you like, we'll have the last laugh.

Well, you tux freaks stick with your open source **** if you like, we'll have the last laugh.

Well, you Apple fanboys can bite my shiny metal ass, cos us OS2 superheroes will have the last laugh in the end, you simpering ****tards.

Commenting is disabled on this article.