News
8/27/2008
05:58 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail

Linux Systems Being Hit By SSH-Key Attacks

The attack appears to rely on stolen SSH keys to gain access to a system and then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit.



US-CERT on Tuesday warned of attacks against Linux computers using compromised SSH keys.

SSH (Secure Shell) is a network protocol designed to provide secure network communication via public-key cryptography.

According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system. It then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit, derived from the older "phalanx" rootkit.

"Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device," explains computer security group Packet Storm on its Web site. "Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot."

Once in place, the rootkit steals other SSH keys and sends them to the attacker to facilitate further attacks.

SANS Internet Storm Center handler John Bambenek in a blog post said that the weak key vulnerability identified in Debian-based systems a few months ago could be one source of compromised SSH keys. Debian's flawed random number generation, fixed in May, led to keys that were predictable.

Bambenek and US-CERT both recommend using keys with passphrases. Keys used in automated processes often do not have passphrases or passwords. Reviewing server logs to identify unknown accessed from remote machines is also recommended.

To detect the "phalanx2" rootkit, US-CERT suggests, among other things, looking for instances where the directory "khubd.p2" can be entered using the "cd" command but not seen using the "ls" command.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service