The United States Computer Emergency Readiness Team (US-CERT) is warning Linux users that they are being actively targeted by attackers using stolen SSH keys.
Once a Linux system is compromised, the attacker gains access to the kernel and installs a new rootkit known as Phalanx2, US-CERT said in its advisory. Phalanx2 is configured to swipe additional SSH keys from the compromised system.
US-CERT is advising system administrators to examine systems where SSH keys are used, review access paths to internet facing systems and ensure that systems are fully patched.
John Bambenek a vulnerability handler with the SANS Internet Storm Center said the biggest defense is to use a passphrase with keys for remote authentication and Internet facing machines.
"Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now," Bambenek said in the SANS Internet Storm Center Diary.