Slashdot Mirror

← Back to Stories (view on slashdot.org)

Compromised SSH Keys Lead To Linux Rootkit Attack

Posted by timothy on from the bad-childhoods-keep-on-giving dept.

Tech Groupie writes "The US Computer Emergency Readiness Team (CERT) has issued a warning for what it calls 'active attacks' against Linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as 'phalanx2' is installed."

8 of 79 comments (clear)

  1. How is this news? by Shade+of+Pyrrhus · · Score: 4, Insightful

    The attack appears to initially use stolen SSH keys to gain access to a system

    Ok...so if you get the key to a machine you can get in and abuse an old vulnerability, assuming the machine in unpatched. The rootkit that they discuss is from 2005, so where's the news here? Be careful about your SSH keys and passwords?

    Seriously, if there's more to this I'd like to know. The article hardly has more information than the summary.

    1. Re:How is this news? by Goaway · · Score: 4, Insightful

      The news is that this is probably fallout from the Debian OpenSSL fiasco, and that people should take it seriously pretty damn quick and get their keys changed.

    2. Re:How is this news? by Anonymous Coward · · Score: 1, Insightful

      *I* don't have evidence for this, but the weak version wasn't just weak but RIDICULOUSLY weak -- 65536 keys. An exaustive scan can be done against these!

    3. Re:How is this news? by mvdwege · · Score: 2, Insightful

      So you don't have any evidence. The quote you give is as much speculation as your original post.

      Mart

      --
      "I know I will be modded down for this": where's the option '-1, Asking for it'?
  2. Re:Oh noes!!1! by MMC+Monster · · Score: 2, Insightful

    How does the worm know what username to try to break into prior to escalating to 'root'?

    --
    Help! I'm a slashdot refugee.
  3. Re:and by RiotingPacifist · · Score: 2, Insightful

    However abstinence is 90% less fun - source

    not that this has anything to do with the topic but 70-85% indicates they are doing it wrong, with proper usage, assuing that you get actual sex education not abstinence bullshit, that figure should be up to 90-95%

    --
    IranAir Flight 655 never forget!
  4. Re:This just in: by cduffy · · Score: 2, Insightful

    The point is "defense in depth".

    If you don't accept SSH connections that aren't coming over your trusted, separately-keyed VPN, for instance, this is pretty moot.

    If you've disabled loadable modules, remounted your root filesystem read-only and dropped capabilities to remount read-write (and otherwise hardened against rootkits), this can be pretty moot on that account too.

    If you aren't doing those things, maybe you should think about it.

  5. Re:and by cbiltcliffe · · Score: 2, Insightful

    SSH is not available remotely on any of my servers. The only way to access SSH is to VPN in, using OpenVPN.
    All SSH traffic is blocked at the firewall.

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......