topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 8:29 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Phalanx2 Rooting Linux  (Read 5042 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Phalanx2 Rooting Linux
« on: August 28, 2008, 05:33 PM »
Linux servers are increasingly under attack from the Phalanx2 trojan/rootkit thanks to the Debian OpenSSL flaw and other weak SSH keys. The trojan can then acquire root access to a machine by exploiting and weakness in unpatched kernels.

Screenshot - 29_08_2008 , 8_31_37 AM_thumb.png


Once a Linux server using a weak key is identified and rooted, it quickly gives up the keys it uses to connect to other servers. Even if these new keys aren't vulnerable to the Debian debacle, attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. Additionally, attackers can identify other servers that have connected to the infected machine recently, information that may enable additional breaches.

Full Story

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Phalanx2 Rooting Linux
« Reply #1 on: August 28, 2008, 06:02 PM »
Wonderful >_<
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Phalanx2 Rooting Linux
« Reply #2 on: August 28, 2008, 08:25 PM »
FYI: If you're worried, Phalanx2 is easily detectable with utilities available for download such as chkrootkit and rkhunter. If they're not on your Linux box - they should be. 8)

rkhunter can be found at http://www.rootkit.n.../rootkit_hunter.html

chkrootkit can be found at www.chkrootkit.org

<<Edit-added this>> An argument can (and has) been made that this problem is largely the fault of Sysadmins getting sloppy with the use of SSH (i.e. accessing root with weak or passphraseless keys), or their using weak passphrases when SSH keys are being generated. While this may be true, I think the Linux community would be doing itself a major disservice to accept that argument.

One rule I learned when I was taking a system design course was this:

"If something always has to be done a certain way, then it shouldn't be necessary for somebody to do it at all. Automate it."

So if the obvious security problems are caused by people making mistakes, add in procedures and code to not allow them to make those mistakes. Or at least make it a lot more difficult to do so.  :)

« Last Edit: August 28, 2008, 08:47 PM by 40hz »

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Phalanx2 Rooting Linux
« Reply #3 on: August 28, 2008, 08:31 PM »
Very good advice, thank you 40hz.

Ehtyar.