Linux cryptography attacks seen in the wild

Active attacks against Linux systems using the Secure Shell encryption protocol have been reported by the US Computer Emergency Readiness Team.

To initially gain access to Linux kernels, attackers appear to be using compromised keys, the US Computer Emergency Readiness Team (US-CERT) said in a blog post on Tuesday. They then use a local kernel exploit to get into the root system. Once the intruders have root access, they can completely control the system.

US-CERT warned that, once attackers have control of the system, they install a Linux kernel rootkit called 'phalanx2'. This steals more SSH keys, which are then sent to the intruders.

IT professionals can tell if their systems have been compromised by searching for hidden processes and checking the reference count in '/etc' against the number of directories shown by 'ls', US-CERT advised.

At present, IT professionals can also check for any directory named 'khubd.p2', which is hidden from 'ls', but may be accessed by using 'cd'; or they can check for '/dev/shm/', which may contain files from the attack. However, US-CERT warned that changes in the configuration of the rootkit may change these attack indicators.

John Bambenek, a security expert with the Sans Internet Storm Center, wrote that a source of the original keys used to gain access could have been the Debian weak key vulnerability reported in May.

"If you haven't updated and replaced those keys, you ought to do so now," Bambenek wrote in a blog post.

Bambenek added that the best defence against this attack is to make sure that machines require a passphrase to use SSH keys. IT professionals can also use the Tripwire or Aide tools to check for the phalanx2 rootkit, he added.