Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 27th, 2008

CERT Warns About Phalanx Attacks Against Linux Servers

The US Computer Emergency Readiness Team (CERT) is warning about attacks in the wild against Linux systems with compromised SSH keys. The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

The CERT advisory makes no mention of the flaw in the Debian random number generator, but that’s most likely the starting point for the attack. The flaw caused SSL keys generated for more than a year to be so predictable that they could be guessed in a matter of hours. Debian fixed the flaw in May.

Once a Linux server using a weak key is identified and rooted, it quickly gives up the keys it uses to connect to other servers. Even if these new keys aren’t vulnerable to the Debian debacle, attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. Additionally, attackers can identify other servers that have connected to the infected machine recently, information that may enable additional breaches.

Phalanx2 appears to be an offshoot of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Fortunately, Phalanx2 is relatively easy to detect. One tell-tale sign: typing “ls” at a command prompt fails to show a directory “/etc/khubd.p2/” even though it can be accessed using the “cd” command. Additionally, the “/dev/shm/” directory may contain files used in the attack.

System administrators should have handled this problem long ago. If they haven’t dealt with it yet, someone will “patch” their systems for them. To mitigate the risk from this attack, US-CERT recommends:

Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.

Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.

Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends:

Disable key-based SSH authentication on the affected systems, where possible.

Perform an audit of all SSH keys on the affected systems.

Notify all key owners of the potential compromise of their keys.

Share this item with others:

More on CyberInsecure:
  • Red Hat Releases Critical OpenSSH Update After Detection Of Server Intrusion
  • Webwasher Denial Of Service Vulnerability
  • Compromised Web Servers Used To Launch DDoS Attacks
  • Denial-of-service Attack Hits Wikileaks During US Diplomatic Cables Leak Release
  • Linux Firewall For Windows On A PCMCIA Laptop Card

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: CERT Warns About Phalanx Attacks Against Linux Servers

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.