[Rkhunter-users] US-CERT: Active attacks using stolen SSH keys (Phalanx2 rootkit)
Brought to you by:
dogsbody
From: <un...@hu...> - 2008-08-27 22:26:16
|
Hello all, For those that didn't pick this up already, US-CERT reported yesterday: "US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed." Full text is at http://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks We added Phalanx to Rootkit Hunter (RKH) back in 2006, RKH does /dev/shm checks for some time now and utilises 'unhide' where possible for hidden process checks. Today RKH CVS sees Phalanx2 added Rootkit files and directories, cd'ing into directories and Inode tests. Please see the updated RKH CVS tarball at http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz Regards, the RKH dev team --- -- Click now to find the best computer mouse for your needs! http://tagline.hushmail.com/fc/Ioyw6h4evek2apuUjT9WJCKXXxP1JFWAqF5m1DwQ4TlJSweX3vdJFO/ |