On last.fm: Find concerts in your area
BNET Business Network:
BNET
TechRepublic
ZDNet

August 26th, 2008

Linux under attack: Compromised SSH keys lead to rootkit

Posted by Ryan Naraine @ 2:13 pm

Categories: Arbitrary Code Execution, Botnets, Complex Attacks, Data theft, Exploit code, Kernel-level Exploits, Locally Running Web Servers, Metasploit, Open source, Patch Watch, Pen testing, Research, Vulnerability research, Zero-day attacks

Tags: Linux, SSH, Attack, U.S. Computer Emergency Readiness Team, Rootkits, Security, Spyware, Adware & Malware, Ryan Naraine

Compromised SSH keys leads to rootkitThe U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

From the advisory:

  • Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Phalanx, which dates back to 2005, is a self-injecting kernel rootkit designed for the Linux 2.6 branch.  It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Details on the attacks — and targets — remain scarce but it’s a safe bet this is linked to the Debian random number generator flaw that surfaced earlier this year. A working exploit for that vulnerability is publicly available.

To mitigate the risk from this attack, US-CERT recommends:

  • Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
  • Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
  • Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends:

  • Disable key-based SSH authentication on the affected systems, where possible.
  • Perform an audit of all SSH keys on the affected systems.
  • Notify all key owners of the potential compromise of their keys.

* Image source: wili_hybrid’s Flickr photostream (Creative Commons 2.0)

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 161 Talkback(s)
laugh ...(nt)
.
(Read the rest)
Posted by: JCitizen Posted on: 08/29/09 You are currently: a Guest | | Terms of Use
Linux under attack: Compromised SSH keys lead to rootkit  Loverock Davidson | 08/26/08
Security is a process  D. T. Schmitz | 08/26/08
Yes it is  Loverock Davidson | 08/26/08
Then they'd be WELL ahead of MS...  storm14k | 08/26/08
And what does MS have to do with this?  Loverock Davidson | 08/26/08
What better way to deflect...  storm14k | 08/26/08
When you start talking about an OS that's worse then...  ye | 08/27/08
Deflection!  schlandower | 08/27/08
@schlandower - Where Do Get Your Tin Hats?  PMC-CON | 08/27/08
Bad compared to what? Using what metrics?  terjeb@... | 08/27/08
Missing the point...  Information_z | 08/31/08
RE:Then they'd be WELL ahead of MS...  jetsethi | 08/27/08
Bzzzt! Wrong!  terjeb@... | 08/27/08
Do you have to be rude about it?  deowll | 08/27/08
Don't underestimate what users can do  alaniane@... | 08/28/08
Ahead?  jrbeaman | 08/27/08
As big a troll as LD is...  wolf_z | 08/27/08
Your correct.  phatkat | 08/27/08
LD dosn't read, He reacts.  deefburger | 08/27/08
You clearly don't understand what's going on here  betelgeuse68 | 08/26/08
FYI, he is a Mike Cox that replies.  TripleII | 08/26/08
Still denying yourself the truth?  Loverock Davidson | 08/26/08
LMAO, you brighten my day dude.  TripleII | 08/26/08
Oh but I do!  Loverock Davidson | 08/26/08
Having it installed....  storm14k | 08/26/08
By using your logic...  jasonp@... | 08/27/08
I Agree  Daschmi | 09/01/08
Well.. No happy  TedKraan | 08/27/08
shipping with ssh  bluefox83 | 08/27/08
Bzzzt! Wrong!  terjeb@... | 08/27/08
Hundreds of other programs?  mgcarley-zdnet | 08/28/08
Get Real  xrxca | 08/29/08
Get real  Woned B. Fooldagan | 09/18/08
what weak policy  code_Warrior | 08/27/08
Apparently you missed something...  bmerc | 08/28/08
Off the topic question: Did it only affect Debian? (NT)  alaniane@... | 08/28/08
99% As Administrator - Surely You Gest?  PMC-CON | 08/27/08
Windows is very rarely locked down in corp environs  terjeb@... | 08/27/08
Untrue in my Case  melekali | 08/27/08
Untrue in my Case.... maybe not  optikool@... | 08/28/08
Speaking of Weak Policy  zomalaja | 08/27/08
Excellent, mislabel the problem continuously.  TripleII | 08/26/08
Its labeled accurately  Loverock Davidson | 08/26/08
You are backtracking.  TripleII | 08/26/08
What do you call them? (NT)  Loverock Davidson | 08/26/08
Forgive him  cheapasskevin | 08/27/08
grin - (nt)  hasta la Vista, bah-bie | 08/27/08
Haha good one  Aragorn_z | 08/27/08
I'm running Linux boxes using SSH...  storm14k | 08/26/08
errr.. he'll need to show intelligence to better Mike Cox  deaf_e_kate | 08/27/08
Yeah, Mike Cox is over the top and funny  TedKraan | 08/27/08
He needs a Microsoft Rep, like Mike. nt  ThereThere | 08/28/08
It's almost as bad as Windows. (nt)  bjbrock | 08/27/08
What bus did you fall off?  schlandower | 08/27/08
Well, Debian is almost half as bad..  terjeb@... | 08/27/08
re: Linux under attack: Compromised SSH keys lead to rootkit  none none | 08/27/08
Liar, liar...server room on fire!!  techboy_z | 08/27/08
Peer review. . .  CodeCurmudgeon | 08/27/08
Roll With The Punches  ManoaHI | 08/27/08
OpenSource is open  snaresV64 | 08/27/08
OpenSource has no Responsible Party -- On Purpose  PMC-CON | 08/27/08
Ever tried to sue a corp over this?  grant@... | 08/27/08
Who sues MS for defects and security wholes?  storm14k | 08/27/08
So, who so you sue for defects, and security holes?  bmerc | 08/28/08
Hmmm..  jskline0@... | 08/27/08
This has nothing to do with Linux, SSH also runs on Windows  balsover | 08/27/08
uneducated much?  bluefox83 | 08/27/08
Hmmm.....  cashaww | 08/27/08
Don't feed the troll (NT).  grant@... | 08/27/08
It's funny just how clueless some trolls are  terjeb@... | 08/27/08
Mish mash of code  fr0thy2 | 08/27/08
Show your work man!  K-JAC | 08/27/08
4 in a week?  mgcarley-zdnet | 08/28/08
You must stay up  elderlybloke | 08/28/08
Proof after proff shows "Linux is more secure"  LBiege | 08/26/08
You are correct. It is proof.  storm14k | 08/26/08
Meh  AndyCee | 08/27/08
No so  voska1 | 08/27/08
I Agree!  schlandower | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  mejohnsn | 08/26/08
Article is bewildering, ZDNet and talkbacks predictable  Richard Flude | 08/26/08
Thanks you ...  Linux_4u! | 08/26/08
What does Windows have to do with this?  NonZealot | 08/26/08
Absolutely nothing!  Loverock Davidson | 08/26/08
But thats not what he said.  storm14k | 08/26/08
I agree  voska1 | 08/27/08
guilty conscience pricks the mind  code_Warrior | 08/27/08
Probably the same reason the NBMers...  jasonp@... | 08/27/08
You're a bit touchy about this...  TtfnJohn | 08/27/08
Windows has exactly as much to do with this as Linux  bmerc | 08/28/08
Ahem..  TedKraan | 08/27/08
Redmond, Washington  bbneo | 08/26/08
Phew  AndyCee | 08/26/08
In similar news  whisperycat | 08/27/08
laugh ...(nt)  JCitizen | 08/29/09
Yo ZDNET, Debian is a distro, Linux is a kernel  sys_engineer | 08/27/08
Yup  TedKraan | 08/27/08
The fix  Tim Patterson | 08/27/08
Scare headline  Anton Philidor | 08/27/08
No, they shouldn't, Anton  TtfnJohn | 08/27/08
Protection  Anton Philidor | 08/27/08
False Relativity: Revealing And Exploiting  TroyJohnson | 08/27/08
This was fixed long ago  drhowarddrfine | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  jetsethi | 08/27/08
You have no clue...  jrbeaman | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  JustTheFacts | 08/27/08
Yes, and in addition...  deefburger | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  JustTheFacts | 08/27/08
Another cry wolf article from Ryan  TtfnJohn | 08/27/08
Not much of a threat really  magcomment | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  w_c_mead | 08/27/08
Artcile is mainly for Windows Admins, I suspect.  SpikeyMike | 08/27/08
Spikey Mike is correct  TtfnJohn | 08/27/08
Exactly.  joe.smetona@... | 08/27/08
Like I said, security blogging has become scare blogs  TtfnJohn | 08/30/08
OSx is next folks.  Narg | 08/27/08
OSx?  kkalinux | 09/03/08
RE: Linux under attack: and ZDNet bloggers are spreadin' the FUD  Timpraetor | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  Luthaloafy | 08/27/08
Back that Linux is crap train up...  rdiekema@... | 08/27/08
Easier methods of securing SSH than using a non-standard port  txtechdog | 08/28/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  bunnyman | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  bunnyman | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  Quigs | 08/27/08
Same old flawed argument about market share and malware  txtechdog | 08/28/08
i feel bad for all the sys admins affected on this one  pcguy777 | 08/27/08
Windows 7 please hurry.  pcguy777 | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  ColdFusion_z | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  terjeb@... | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  starcannon99022@... | 08/27/08
ZD Blogs FUD, the new SPAM (as in Monty, not email)  Timpraetor | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  rktechhead | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  starcannon99022@... | 08/27/08
Me too.  jrbeaman | 08/27/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  erniem1970@... | 08/27/08
wow  todbran@... | 08/27/08
Heh, good stuff  AndyCee | 08/28/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  zbig@... | 08/28/08
secrecy or logic  itchy8me | 08/28/08
You cannot win  golowenow | 08/28/08
Mr. golowenow  elderlybloke | 08/28/08
At peace always  golowenow | 08/28/08
...cool it, golowenow...  wken2w | 09/02/08
peace....  kkalinux | 09/03/08
Ideas for ZDNet to get some respect around Linux security  sys_engineer | 08/28/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  ksavage@... | 08/28/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  cup@... | 08/28/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  txtechdog | 08/28/08
Move your SSH port and more  kokuryu | 08/28/08
Zealot: "Works for me" "M$ created it to attack Linux and our freedom."  transposeIT | 08/28/08
People who think M$ is to blame are  royalstream | 08/29/08
All true  Woned B. Fooldagan | 09/18/08
Interesting Spin  xrxca | 08/29/08
So true...  Woned B. Fooldagan | 09/18/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  Daschmi | 09/01/08
if MS code is bad...  billw1234 | 09/03/08
MS code....  kkalinux | 09/03/08
True, and that's good!  spookyone1 | 10/13/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  barence773 | 09/08/08
really?  Woned B. Fooldagan | 09/18/08
RE: Linux under attack: Compromised SSH keys lead to rootkit  Woned B. Fooldagan | 09/18/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here