Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Anyone see this yet? I'd like to get hold of a copy. There seems to be
a new version.

"The US-CERT is reporting that there is active attacks against Linux
environments using stolen SSH keys.  There is a new rootkit out,
Phalanx2 which is dropped by attackers which, among the usual rootkit
tasks, steal any SSH key on a system.  The attackers then, presumably,
use those stolen keys (the ones without passwords/passphrases at
least) to get into other machines." ...

Someone that got broken into. Oddly enough, on the machine now hosting
this report:

    Protect? [** America, The Police State **] Serve? / /
Teen Tazered 19 times:
Guns For TX Teachers:
Castration Punishment:,2933,348171,00.html

Re: phalanx2

Quoted text here. Click to load it

A couple of months ago I encountered a machine infected by the
phaslanx2 rootkit, which chkrootkit failed to detect.  As a result, I
wrote my own /proc file system checker that phalanx2 was unable hide
from.  The script is available from
< .  It should be able to sniff
out similar rootkits.

  # ./ -q
  WARNING: pid 2375 exists, but chdir /proc/2375 fails
  WARNING: /proc/2375 needs gid=56564 for access


Site Timeline