For those that didn't pick this up already, US-CERT reported yesterday:
"US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed." Full text is at http://www.us-cert.gov/current/archi..._based_attacks.


We added Phalanx to Rootkit Hunter (RKH) back in 2006, RKH does /dev/shm checks for some time now and utilises 'unhide' where possible for hidden process checks. Today RKH CVS sees Phalanx2 added Rootkit files and directories, cd'ing into directories and Inode tests. Please see the updated RKH CVS tarball at http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz

* Please test the tarball as we're close to releasing 1.3.4. This version adds among other things: support for TCB shadow files, DB_PATH write test vs database on read-only media (Debian), Vampire and Intoxonia-NG LKM's.

this is very interesting and scary at the same time, i still don't understand how the things works Because to get those SSH keys in the first place they had to be vulnerable to capture. And, guess what? In the last few months there have been two occasions when it's been revealed that certain Linux distributions were wide open to attack.

The first time was when Debian, thanks to some really fouled up development thinking left OpenSSL on Debian, and related distributions like Ubuntu, wide open for attacks from September 17th 2006 until May 13th 2008. OpenSSL provides SSL (Secure Socket Layer) and TLS (Transport Layer Security) protection. It's used through Linux internally and in network communications for 'secure' transactions.

Then, much more recently, Red Hat's RHEL (Red Hat Enterprise Linux) and Fedora were briefly compromised. In these cases, Red Hat says some, not many, but some OpenSSH packages had been messed around with.

"No problems," said Red Hat. Funny that a few days later we're seeing successful SSH attacks on Linux servers isn't it?

Yes, that's "funny". However you should also realise that associating things and making assumptions is typically human. It saves us time but when trying to link two situations together without knowing the facts it could lead to making mistakes. In the over-hyped "I have no news so I'll write about you having news" web log infosphere of today one should take care not to instill fear, uncertainty and doubt.

No idea wot you ment there. But one word cought my attention "FEAR" such nice a word is it? let me tell you this for those who practiced medicine we were told to leave that word by the door before enterring the work place, becouse that word could get you in trouble, but i gues in linux thats a complete different thingy right? i mean is just a machine afterall except if it is a server running some firewalls in a president room or some sord of a server holding some medical details about the hospital.

regards

I think what he was essentially telling you was that you need to be extremely cautious when making posts like this. I mean, your post was dripping uncertainty from every pore. I would think that when you studied medicine they taught you that making connections between situations without evidence or further investigation can cost someone dearly. The same concept applies in information security. Let's try and stick to the facts as much as we can before we let our minds wander through the FUD.

Ok,unspawn i've got Rootkit Hunter (RKH) and i've check my system and it gave me some [Warning] massagaes in some directories, now i wanted to know how do i repair to remove that [warning] sign so that nextime i check the system it won't give that warning.
i'll give a sample report i have.

report :-

[01:34:02] Checking for passwd file changes [ Warning ]
[01:34:02] Warning: Users have been added to the passwd file:
[01:34:02] XXXX:X:XXXX:XXXX:XXXX X,X,cell number,:/home/XXXX:/bin/bash
[01:34:02] Info: Starting test name 'group_changes'
[01:34:02] Checking for group file changes [ Warning ]
[01:34:02] Warning: Groups have been added to the group file:
[01:34:02] XXXX:X:XXXX:
[01:34:02] Checking root account shell history files [ None found ]
[01:34:02]
[01:34:02] Performing system configuration file checks
[01:34:02] Info: Starting test name 'system_configs'
[01:34:02] Checking for SSH configuration file [ Found ]

So what happens if you run it again?

It gives me the same result. as the old one.

Rootkits are pretty scary. But anyone with any experience with SSH key knows that the rootkit using stolen SSH keys is only an issue on system where the keys have been compromised. A person using SSH keys with out a challenge password is asking for trouble. The keys are effectively the same thing as having a set of car keys -- if a bad guy gets them they get in the car and drive it away.

If you are using a version of SSH that has been compromised (like the Debian SSL issue a little back would be bad.

Those deep in the Linux community are pretty much laughing at CERT for this. The rootkit itself isn't using kernel bug or an SSH flaw. CERT issued an advisory because it might happen. The moral of the story -- keep your SSH keys safe, use a challenge password and on system critical boxes, follow good security practices. Besides, there is a reason why large companies lock their internet servers behind a Bastion Server/VPN. SSH being exposed to the real world is considered a bad idea in the first place.