Announcement

Collapse
No announcement yet.

Linux servers under 'Phalanx' attack

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Linux servers under 'Phalanx' attack

    I assume that this is the Forum for this sort of news.

    Attacks in the wild are under way against Linux systems with compromised SSH keys, the US Computer Emergency Readiness Team is warning.

    The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. There's a viral aspect to this attack. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

    The CERT advisory makes no mention of the flaw in the Debian random number generator, but that's most likely the starting point for the attack. The flaw caused SSL keys generated for more than a year to be so predictable that they could be guessed in a matter of hours. Debian fixed the flaw in May.

    Once a Linux server using a weak key is identified and rooted, it quickly gives up the keys it uses to connect to other servers. Even if these new keys aren't vulnerable to the Debian debacle, attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. Additionally, attackers can identify other servers that have connected to the infected machine recently, information that may enable additional breaches.

    Phalanx2 is a derivative of a rootkit known as Phalanx. According to Packet Storm, Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a tty program and connecting to it with a backdoor. Phalanx2 is been updated to systematically steal SSH keys.

    [ .... ]
    http://www.theregister.co.uk/2008/08...tacks_warning/

    It seems to be -- quite possibly -- bad news.


    #2
    Re: Linux servers under 'Phalanx' attack

    I read the same story. I'll wait to see what comes of it, especially after reading all the comments to that story. Thing is, they all were attacking Linux. Has nothing to do with Linux, but how security on those systems were set up. Oh well. Like I said, wait and see.

    Comment

    Working...
    X