Feeds

CERT: Linux servers under 'Phalanx' attack

Stolen keys unlock back door

Remote control for virtualized desktops

Attacks in the wild are under way against Linux systems with compromised SSH keys, the US Computer Emergency Readiness Team is warning.

The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. There's a viral aspect to this attack. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

The CERT advisory makes no mention of the flaw in the Debian random number generator, but that's most likely the starting point for the attack. The flaw caused SSL keys generated for more than a year to be so predictable that they could be guessed in a matter of hours. Debian fixed the flaw in May.

Once a Linux server using a weak key is identified and rooted, it quickly gives up the keys it uses to connect to other servers. Even if these new keys aren't vulnerable to the Debian debacle, attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. Additionally, attackers can identify other servers that have connected to the infected machine recently, information that may enable additional breaches.

Phalanx2 is a derivative of a rootkit known as Phalanx. According to Packet Storm, Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a tty program and connecting to it with a backdoor. Phalanx2 is been updated to systematically steal SSH keys.

Fortunately, Phalanx2 is relatively easy to detect. One tell-tale sign: typing "ls" at a command prompt fails to show a directory "/etc/khubd.p2/" even though it can be accessed using the "cd" command. Additionally, the "/dev/shm/" directory may contain files used in the attack.

Several tools, including this one, can be used to sniff out vulnerable keys. CERT is also advising keys use strong passphrases or passwords to reduce the risk of a key is stolen.

"I'm still absolutely adamant this is a problem system administrators should have handled a long time ago," said Bill Stearns, a security researcher and incident handler for the SANS Internet Storm Center. "It's a really big issue. If they haven't figured it out, someone will do it for them." ®

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.