Software // Operating Systems
News
8/27/2008
05:58 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Linux Systems Being Hit By SSH-Key Attacks

The attack appears to rely on stolen SSH keys to gain access to a system and then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit.

US-CERT on Tuesday warned of attacks against Linux computers using compromised SSH keys.

SSH (Secure Shell) is a network protocol designed to provide secure network communication via public-key cryptography.

According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system. It then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit, derived from the older "phalanx" rootkit.

"Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device," explains computer security group Packet Storm on its Web site. "Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot."

Once in place, the rootkit steals other SSH keys and sends them to the attacker to facilitate further attacks.

SANS Internet Storm Center handler John Bambenek in a blog post said that the weak key vulnerability identified in Debian-based systems a few months ago could be one source of compromised SSH keys. Debian's flawed random number generation, fixed in May, led to keys that were predictable.

Bambenek and US-CERT both recommend using keys with passphrases. Keys used in automated processes often do not have passphrases or passwords. Reviewing server logs to identify unknown accessed from remote machines is also recommended.

To detect the "phalanx2" rootkit, US-CERT suggests, among other things, looking for instances where the directory "khubd.p2" can be entered using the "cd" command but not seen using the "ls" command.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - July 21, 2014
Our new survey shows fed agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
In this special, sponsored radio episode we’ll look at some terms around converged infrastructures and talk about how they’ve been applied in the past. Then we’ll turn to the present to see what’s changing.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.