Main Area and Open Discussion > Living Room

Phalanx2 Rooting Linux

(1/1)

Ehtyar:
Linux servers are increasingly under attack from the Phalanx2 trojan/rootkit thanks to the Debian OpenSSL flaw and other weak SSH keys. The trojan can then acquire root access to a machine by exploiting and weakness in unpatched kernels.




Once a Linux server using a weak key is identified and rooted, it quickly gives up the keys it uses to connect to other servers. Even if these new keys aren't vulnerable to the Debian debacle, attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. Additionally, attackers can identify other servers that have connected to the infected machine recently, information that may enable additional breaches.

--- End quote ---

Full Story

Ehtyar.

f0dder:
Wonderful >_<

40hz:
FYI: If you're worried, Phalanx2 is easily detectable with utilities available for download such as chkrootkit and rkhunter. If they're not on your Linux box - they should be. 8)

rkhunter can be found at http://www.rootkit.nl/projects/rootkit_hunter.html

chkrootkit can be found at www.chkrootkit.org

<<Edit-added this>> An argument can (and has) been made that this problem is largely the fault of Sysadmins getting sloppy with the use of SSH (i.e. accessing root with weak or passphraseless keys), or their using weak passphrases when SSH keys are being generated. While this may be true, I think the Linux community would be doing itself a major disservice to accept that argument.

One rule I learned when I was taking a system design course was this:

"If something always has to be done a certain way, then it shouldn't be necessary for somebody to do it at all. Automate it."

So if the obvious security problems are caused by people making mistakes, add in procedures and code to not allow them to make those mistakes. Or at least make it a lot more difficult to do so.  :)

Ehtyar:
Very good advice, thank you 40hz.

Ehtyar.

Navigation

[0] Message Index