German CERT Warns of New Phalanx Linux Rootkit

The CERT for Germany`s National Research and Education Network (DFN-CERT – Deutsches Forschungsnetz) is warning of a new spate of attacks using a variant of the Phalanx Linux rootkit. Once installed this rootkit harvests SSH keys and other credentials which an attacker can use to access other victims. Fortunately the rootkit seems fairly easy to detect if you know what to look for. The rootkit creates a hidden directory, /etc/khubd.p2/, that is used to collect information. This directory is hidden, and the rootkit uses methods to hide its running processes and other telltale signs of its existence. Sometimes the name of the hidden directory is changed, but if you try to 'cd' into the directory and it doesn't exist, you can try creating the directory and doing an 'ls' . If the 'ls' doesn't revel the newly created directory then the machine is likely compromised.

To read an interesting overview of an incident response to this type of compromise see http://hep.uchicago.edu/admin/report_072808.html.

I plan to do some testing to see if tools that might be on the machine prior to compromise (such as OSSEC) would reveal the rootkit's installation.