Software // Operating Systems
News
8/27/2008
05:58 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Linux Systems Being Hit By SSH-Key Attacks

The attack appears to rely on stolen SSH keys to gain access to a system and then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit.

US-CERT on Tuesday warned of attacks against Linux computers using compromised SSH keys.

SSH (Secure Shell) is a network protocol designed to provide secure network communication via public-key cryptography.

According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system. It then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit, derived from the older "phalanx" rootkit.

"Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device," explains computer security group Packet Storm on its Web site. "Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot."

Once in place, the rootkit steals other SSH keys and sends them to the attacker to facilitate further attacks.

SANS Internet Storm Center handler John Bambenek in a blog post said that the weak key vulnerability identified in Debian-based systems a few months ago could be one source of compromised SSH keys. Debian's flawed random number generation, fixed in May, led to keys that were predictable.

Bambenek and US-CERT both recommend using keys with passphrases. Keys used in automated processes often do not have passphrases or passwords. Reviewing server logs to identify unknown accessed from remote machines is also recommended.

To detect the "phalanx2" rootkit, US-CERT suggests, among other things, looking for instances where the directory "khubd.p2" can be entered using the "cd" command but not seen using the "ls" command.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.