|
posted 08/28/2008 by Chris
According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system. It then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit, derived from the older "phalanx" rootkit.
"Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device," explains computer security group Packet Storm on its Web site. "Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot."
Once in place, the rootkit steals other SSH keys and sends them to the attacker to facilitate further attacks.
To detect the "phalanx2" rootkit, US-CERT suggests, among other things, looking for instances where the directory "khubd.p2" can be entered using the "cd" command but not seen using the "ls" command.
COMMENTS (displaying 0 comments) POST (leave a comment) |
POPULAR BLOG TAGS
defcon
published
captcha
mailto
regular expressions
php
php5tube
email
spam
as
general
routes
charlie
google
skateboard
orwell
quicksilver
security
flash
bakery
trice
ableton
open source
privacy
sports
encryption
gmail
1984
debuggeddesigns
geek
brain
hobnox
youtube
launch
cakephp
color
magazine
boston
snowboard
code
usort
drum machines
mbta
release
science
mit
rot13
whoami
class
germans
|
