The U.S. Computer Emergency Readiness Team (CERT) has issued a warning
for what it calls “active attacks” against Linux-based computing
infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a
system, and then uses local kernel exploits to gain root access. Once
root access has been obtained, a rootkit known as “phalanx2? is
installed, US-CERT said in a note on its current activity site.

So what is being done to thwart this?


--
Blattus Slafaly ? 3 7/8

On Wed, 27 Aug 2008 13:13:29 -0400, Blattus Slafaly typed this message:

> The U.S. Computer Emergency Readiness Team (CERT) has issued a warning
> for what it calls “active attacks” against Linux-based computing
> infrastructures using compromised SSH keys.
>
> The attack appears to initially use stolen SSH keys to gain access to a
> system, and then uses local kernel exploits to gain root access. Once
> root access has been obtained, a rootkit known as “phalanx2? is
> installed, US-CERT said in a note on its current activity site.
>
> So what is being done to thwart this?

Are you running updated chkrootkit? Is this the list of compromised keys
from Fedora Project?

* Moe Trin wrote in alt.os.linux.suse:

> Accoring to a post to the Usenet newsgroup 'comp.os.linux.security'
> yesterday, John E. Davis (author of slang, slsh, and the slrn news tool)
> stated that chkrootkit didn't detect this root kit (surprise, surprise).
> That post included a URL to a script he created that was able to detect
> the 'phalanx2' rootkit. He's using a somewhat different technique from
> the hints mentioned by CERT/
>

FYI:

Message-ID:

--
David