Linux under 'active attack'

[mercurial]

The US Computer Emergency Readiness Team (CERT) US-CERT is warning that Linux-based systems are under "active attack" using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed.

Phalanx2 appears to be a derivative of an older rootkit and is likely to be based on the Debian Random number generator flaw that appeared earlier this year.

The reduce the risks, US-CERT suggests administrators:

• Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.

• Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.

• Review access paths to Internet facing systems and ensure that systems are fully patched.

• For systems already compromised by this, US-CERT recommends that administrators:

• Disable key-based SSH authentication on the affected systems, where possible.

• Perform an audit of all SSH keys on the affected systems.
Notify all key owners of the potential compromise of their keys.

Link

 

[killadoob]

Interesting, i see now how safe linux is

 

[LazyLion]

My keys are in my bag... and my bag is right next to me on the floor here... let anyone try to steal my keys! Ha!

 

[The_Unbeliever]

Interesting, i see now how safe linux is

Interesting this thread... http://mybroadband.co.za/vb/showthread.php?t=132944

But hey, to each his own...

 

[.Froot.]

Luckily I use my own keys and not the usual standard stuff. I also have the newest patches installed at any given time. Go go Linux!

 

[Swift-wp]

I still use a password for SSH, just have to update packages though.