linux
Report a problem

Linux under attack: compromised SSH keys lead to rootkit

franzon   via ZDNet on 27 August 2008 - 22:59 · 18 comments & 10760 views

Advertisement (Why?)
The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Phalanx, which dates back to 2005, is a self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Link: More at ZDNet

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Unknown
User name: franzon
Contact: via forum PM
Submissions: View All
More: View Profile

Related news

 

Post a comment · Send to friend Comments · There are 18 additional comments
(3 replies) #1 Divide Overflow on 28 Aug 2008 - 00:42
I would hope that more than an SSH login would stand in the way of unauthorized access to a production server from the Internet. . .
#1.1 vetmarkjensen on 28 Aug 2008 - 01:36
Well, a stolen SSH key gets you in the front door. The real problem here is admins who don't secure their system with updates. The intruders rely on outdated kernel present to use an exploit and install the phalanx2 rootkit.

When people think that "Security" is a product like Linux or OpenBSD or Vista that they just install and "are secure", they have fallen into an awful pit of hubris.
#1.2 Divide Overflow on 28 Aug 2008 - 14:27
(markjensen said @ #1.1)
Well, a stolen SSH key gets you in the front door. The real problem here is admins who don't secure their system with updates. The intruders rely on outdated kernel present to use an exploit and install the phalanx2 rootkit.

When people think that "Security" is a product like Linux or OpenBSD or Vista that they just install and "are secure", they have fallen into an awful pit of hubris.
Personally I would prefer to obfuscate the login process at least, or provide several tiers of security. . It would not completely prevent the possibility of unauthorized access, but it certainly places the bar a bit higher.

Besides, this article stinks of "Linucks ain't prefect!!1". Captain Obvious is still kicking around somewhere I guess.
#1.3 vetmarkjensen on 28 Aug 2008 - 18:12
(Divide Overflow said @ #1.2)
...
Besides, this article stinks of "Linucks ain't prefect!!1". Captain Obvious is still kicking around somewhere I guess.
I think that these incompetent admins that think "I'll install Linux and be secure without ever having to pay attention or update" need Captain Obvious to come around and kick their collective asses.

Like I have said throughout my posting history here on Neowin, "Security is a process not a product."
(2 replies) #2 Xenomorph on 28 Aug 2008 - 00:52
Install Windows, problem solved.
#2.1 39 Thieves on 28 Aug 2008 - 01:23
#2.2 Burst404 on 28 Aug 2008 - 15:23
Linux isn't perfect, we get that. But Windows, my good sir, isn't perfect either. Hell, neither is Mac... No application/OS will EVER be 100% save, hate to burst your bubble.
#3 The Intruder on 28 Aug 2008 - 02:36
You can do so much to protect your system

(2 replies) #4 RealFduch on 28 Aug 2008 - 02:39
OH NOES! That must be lies. Linux is UNBREAKABLE secure.
self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Maybe there is some mistake? Such hell machine could not possibly exist for linux. Voices are telling me not to belive it.. Linux is secure, Linux is secure, Linux is secure, Linux is secure...
#4.1 Airlink on 28 Aug 2008 - 06:25
(RealFduch said @ #4)
OH NOES! That must be lies. Linux is UNBREAKABLE secure.
self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Maybe there is some mistake? Such hell machine could not possibly exist for linux. Voices are telling me not to belive it.. Linux is secure, Linux is secure, Linux is secure, Linux is secure...

You forgot to take your little penguin-shaped pill again, didn't you?
#4.2 Divide Overflow on 28 Aug 2008 - 14:30
(Airlink said @ #4.1)
(RealFduch said @ #4)
OH NOES! That must be lies. Linux is UNBREAKABLE secure.
self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Maybe there is some mistake? Such hell machine could not possibly exist for linux. Voices are telling me not to belive it.. Linux is secure, Linux is secure, Linux is secure, Linux is secure...

You forgot to take your little penguin-shaped pill again, didn't you?
You forgot to wear your glasses while reading again, didn't you? Surely you missed the sarcasm oozing from RealFduch's post.
(2 replies) #5 Akaruz on 28 Aug 2008 - 03:14
This was fixed ages ago ffs

#5.1 The Intruder on 28 Aug 2008 - 04:17
If that's true (I'm sure it is)

Can you provide a source?
#5.2 _dandy_ on 28 Aug 2008 - 17:11
(Akaruz said @ #5)
This was fixed ages ago ffs


Muhammad, is that you?
#6 Airlink on 28 Aug 2008 - 06:23
There's always one factor that nobody can protect against.
The human factor.
(1 reply) #7 morphen on 28 Aug 2008 - 06:32
Post x1:
*somthing from linux fanboys*

Post x2:
*somthing from MS fanboys*

Post x3:
*somthing from Apple fanboys*

Post x4:
*something stupid about don't caring about pc's and computers from stupid console fanboys*


All OS have bugs, so don't be blind fanboys guys and girls.

#7.1 m00head on 28 Aug 2008 - 13:23
Choose from the following standardised comments:

Well, you Gates slaves stick with your bug-riddled crash-tastic Windows set-up if you like, we'll have the last laugh.

Well, you tux freaks stick with your open source **** if you like, we'll have the last laugh.

Well, you Apple fanboys can bite my shiny metal ass, cos us OS2 superheroes will have the last laugh in the end, you simpering ****tards.
#8 Dave Hybrid on 21 Oct 2008 - 12:22
Interesting article, a good read. It's actually given me a great idea for a project so thanks! Dave @ IT Support.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1345) © 2000 - 2008 Neowin.net