Linux under “active attack”

The US Computer Emergency Readiness Team (CERT) US-CERT is warning that Linux-based systems are under “active attack” using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed.

Phalanx2 appears to be a derivative of an older rootkit and is likely to be based on the Debian Random number generator flaw that appeared earlier this year.

The reduce the risks, US-CERT suggests administrators:

- Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
- Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
- Review access paths to Internet facing systems and ensure that systems are fully patched.

For systems already compromised by this, US-CERT recommends that administrators:
- Disable key-based SSH authentication on the affected systems, where possible.
- Perform an audit of all SSH keys on the affected systems.
- Notify all key owners of the potential compromise of their keys.