Linux under attack: Compromised SSH keys lead to rootkit

Posted by Ryan Naraine @ 2:13 pm

Categories: Patch Watch, Zero-day attacks, Vulnerability research, Botnets, Exploit code, Data theft, Open source, Pen testing, Metasploit, Arbitrary Code Execution, Kernel-level Exploits, Locally Running Web Servers, Complex Attacks, Research

Tags: Linux, SSH, Attack, U.S. Computer Emergency Readiness Team, Rootkits, Security, Spyware, Adware & Malware, Ryan Naraine

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls ¡Èactive attacks¡É against Linux-based computing infrastructures using compromised SSH keys.

• Phalanx2 appears to be a derivative of an older rootkit named ¡Èphalanx¡É. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

• Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
• Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
• Review access paths to internet facing systems and ensure that systems are fully patched.

• Disable key-based SSH authentication on the affected systems, where possible.
• Perform an audit of all SSH keys on the affected systems.
• Notify all key owners of the potential compromise of their keys.