Slashdot Mirror

← Back to Stories (view on slashdot.org)

Compromised SSH Keys Lead To Linux Rootkit Attack

Posted by timothy on from the bad-childhoods-keep-on-giving dept.

Tech Groupie writes "The US Computer Emergency Readiness Team (CERT) has issued a warning for what it calls 'active attacks' against Linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as 'phalanx2' is installed."

3 of 79 comments (clear)

  1. Debian compromise: probably related... by daveewart · · Score: 5, Interesting

    Even the openssh guys don't seem interested in including blacklist support for probably-compromised keys: see https://bugzilla.mindrot.org/show_bug.cgi?id=1469

    This means that, since the compromise arose, Debian and Ubuntu distros are safe once patched with the blacklist code. However, for keys generated on Debian/Ubuntu but uploaded to non-Debian/Ubuntu servers, those non-Debian/Ubuntu servers will still be vulnerable unless manually checked. This means: OpenBSD servers, Fedora servers etc.

    Have any distros apart from Debian/Ubuntu provided blacklist-like tools for this issue? Any of the *BSDs?

    --
    "If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
    1. Re:Debian compromise: probably related... by daveewart · · Score: 2, Interesting

      "OpenSSH now has a blacklist feature for weak Debian-generated ssh keys." From: http://www.dragonflybsd.org/community/release2_0.shtml Please do just a LITTLE bit of research before posting.

      Please do some research before telling someone else to do research before posting.

      DragonflyBSD is a fork of FreeBSD and not exactly mainstream so you can hardly accuse me of not being aware of what it said. Further, apart from that remark on the page you linked-to claiming that "OpenSSH contains a blacklist feature", there's nothing to suggest that OpenSSH itself actually contains any such blacklist management.

      My research: There's nothing in the OpenSSH ChangeLog at ftp://ftp.plig.org/pub/OpenBSD/OpenSSH/portable/ChangeLog which mentions blacklisting and there's nothing in the source tarball either. I've looked (both the core distribution and the portable version).

      It may be that DragonflyBSD includes blacklist management, but if so, they didn't get it from OpenSSH.

      I raised the bug https://bugzilla.mindrot.org/show_bug.cgi?id=1469 because I thought that such a feature should be included. If the OpenSSH developers were interested in supporting this, I'm sure they'd have (a) commented on the bug and (b) written the code or used some of the contributed code. They may well have good reasons for not including this, but they haven't commented either way.

      --
      "If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
  2. Re:Oh noes!!1! by RiotingPacifist · · Score: 3, Interesting

    so in an ironic twist people using debian are in the safest position.

    --
    IranAir Flight 655 never forget!