The US Computer Emergency Readiness Team is warning that attacks against Linux systems with compromised SSH keys are taking place.
The attacks use stolen SSH keys to take hold of a targeted machine and than gain root access by exploiting weaknesses in the kernel. A rootkit called Phalanx2 is then installed, which scans the system for more SSH keys. As each new SSH key is stolen new machines are vulnerable to attack.
The CERT advisory doesn’t mention the flaw in the Debian random number generator, but that is the likely entry point for attack. The flaw caused SSL keys generated for more than a year to be so predictable that they could be guessed in a matter of hours. Debian reportedly fixed the flaw in May.
After a Linux server using a weak key is identified and rooted, it gives up the keys it uses to connect to other servers. Attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. As well as this, attackers can identify other servers that have connected to the infected machine recently, information that could enable additional breaches.
Phalanx2 is the follow-on from a rootkit known as Phalanx. According to Packet Storm, Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides in files, processes and sockets, and includes tools for sniffing a tty program and connecting it with a backdoor. Phalanx2 has been updated to systematically steal SSH keys.
Happily Phalanx2 is relatively easy to detect. One way of telling is to type “ls” at a command prompt and if it fails to show directory “/etc/khubd.p2/”. Also the “/dev/shm/” directory could contain files used in the attack.
CERT advises that keys use strong passphrases or passwords to reduce the risk of a key being stolen.
“I’m still absolutely adamant this is a problem system administrators should have handled a long time ago,” said Bill Stearns, a security researcher and incident handler for the SANS Internet Storm Center. “It’s a really big issue. If they haven’t figured it out, someone will do it for them.”
0 Responses to “Linux systems Under Siege from Phalanx2”
Leave a Reply
You must login to post a comment.