LWN has an article and some useful comments engendered by a ssh attack which installs some kind of rootkit called phalanx2. http://lwn.net/Articles/295712/
It is curious(!) that the referenced cert advisory at http://www.us-cert.gov/current/#ssh_key_based_attacks includes words that seem to recommend disabling(!!) key-based authentication. I think the most sensible interpretation is that key-based authentication should be disabled on hosts where penetration _may_ have occurred -- but that doesn't seem right either. Maybe, they are recommending that on a critical system until users and keys can be re-verified. Some of the comments cover strategies previously mentioned in a recent ssh thread here. Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
