Anyone see this yet? I'd like to get hold of a copy. There seems to be
a new version.

http://isc.sans.org/diary.html?storyid=4937

"The US-CERT is reporting that there is active attacks against Linux
environments using stolen SSH keys. There is a new rootkit out,
Phalanx2 which is dropped by attackers which, among the usual rootkit
tasks, steal any SSH key on a system. The attackers then, presumably,
use those stolen keys (the ones without passwords/passphrases at
least) to get into other machines." ...


Someone that got broken into. Oddly enough, on the machine now hosting
this report:

http://hep.uchicago.edu/admin/report_072808.html



--
Protect? [** America, The Police State **] Serve?
http://www.hermes-press.com/police_state.htm
http://www.theregister.co.uk/2008/01..._nsa_internal/
http://www.privacyinternational.org/...D=x-347-559597
http://www.homelandstupidity.us/2008...ir-passengers/
http://www.presstv.ir/detail.aspx?id...tionid=3510203
Teen Tazered 19 times: http://www.ky3.com/news/local/26158674.html
Guns For TX Teachers: http://news.bbc.co.uk/1/hi/world/americas/7564654.stm
Castration Punishment: http://www.foxnews.com/story/0,2933,348171,00.html

On Wed, 27 Aug 2008 07:42:09 -0400, jayjwa
wrote:
> Anyone see this yet? I'd like to get hold of a copy. There seems to be
> a new version.

A couple of months ago I encountered a machine infected by the
phaslanx2 rootkit, which chkrootkit failed to detect. As a result, I
wrote my own /proc file system checker that phalanx2 was unable hide
from. The script is available from
. It should be able to sniff
out similar rootkits.

# ./chkproc2.sl -q
WARNING: pid 2375 exists, but chdir /proc/2375 fails
WARNING: /proc/2375 needs gid=56564 for access
2375:/etc/lolzz.p2/.phalanx2

--John