phalanx2 - Security

This is a discussion on phalanx2 - Security ; Anyone see this yet? I'd like to get hold of a copy. There seems to be a new version. http://isc.sans.org/diary.html?storyid=4937 "The US-CERT is reporting that there is active attacks against Linux environments using stolen SSH keys. There is a new ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: phalanx2

  1. phalanx2


    Anyone see this yet? I'd like to get hold of a copy. There seems to be
    a new version.

    http://isc.sans.org/diary.html?storyid=4937

    "The US-CERT is reporting that there is active attacks against Linux
    environments using stolen SSH keys. There is a new rootkit out,
    Phalanx2 which is dropped by attackers which, among the usual rootkit
    tasks, steal any SSH key on a system. The attackers then, presumably,
    use those stolen keys (the ones without passwords/passphrases at
    least) to get into other machines." ...


    Someone that got broken into. Oddly enough, on the machine now hosting
    this report:

    http://hep.uchicago.edu/admin/report_072808.html



    --
    Protect? [** America, The Police State **] Serve?
    http://www.hermes-press.com/police_state.htm
    http://www.theregister.co.uk/2008/01..._nsa_internal/
    http://www.privacyinternational.org/...D=x-347-559597
    http://www.homelandstupidity.us/2008...ir-passengers/
    http://www.presstv.ir/detail.aspx?id...tionid=3510203
    Teen Tazered 19 times: http://www.ky3.com/news/local/26158674.html
    Guns For TX Teachers: http://news.bbc.co.uk/1/hi/world/americas/7564654.stm
    Castration Punishment: http://www.foxnews.com/story/0,2933,348171,00.html

  2. Re: phalanx2

    On Wed, 27 Aug 2008 07:42:09 -0400, jayjwa
    wrote:
    > Anyone see this yet? I'd like to get hold of a copy. There seems to be
    > a new version.


    A couple of months ago I encountered a machine infected by the
    phaslanx2 rootkit, which chkrootkit failed to detect. As a result, I
    wrote my own /proc file system checker that phalanx2 was unable hide
    from. The script is available from
    . It should be able to sniff
    out similar rootkits.

    # ./chkproc2.sl -q
    WARNING: pid 2375 exists, but chdir /proc/2375 fails
    WARNING: /proc/2375 needs gid=56564 for access
    2375:/etc/lolzz.p2/.phalanx2

    --John

+ Reply to Thread