Linux servers under the Phalanx gun: A problem with people, not code

A new Linux exploit can only be resolved if server administrators take security seriously, which may be asking too much.

As The Register reports Wednesday, Linux servers are increasingly under attack from Phalanx2, a "self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a tty program and connecting to it with a backdoor."

According to The Register:

The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. There's a viral aspect to this attack. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

The U.S. Computer Emergency Readiness Team has recommended an approach to counteracting the risk, but this is where Linux (and Windows and Solaris and...) security meets reality: Linux may be inherently more secure as a system, but ultimately security is a question of process and people, not merely code.

Administrators must apply the patches. If Linux server administrators are anything like Oracle server administrators--65 percent of whom never install critical security patches--then Linux security will be as fallible as that of any other system. If IT administrators won't secure Linux, it won't be secured.

Much is made about security in open source, and often for good reason. But judging from the lack of chatter on the Web about the Phalanx attacks, I'm not optimistic that we're responding fast enough as a community to this new security breach.

Featured Video