Just read an article over at [H] regarding a SSH-Key Attack on Linux systems:
The attack appears to rely on stolen SSH keys to gain access to a system and then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit.
A quick way to check your Linux boxes is to try the following:
To detect the "phalanx2" rootkit, US-CERT suggests, among other things, looking for instances where the directory "khubd.p2" can be entered using the "cd" command but not seen using the "ls" command.
-More info and source: Here (http://www.informationweek.com/news/software/linux/showArticle.jhtml?articleID=210201115)

Interesting. I've noticed a large amount of attacks in the recent few weeks. A lot of clients that I've done work with have been getting massive DDoS attacks in some form of this. No kits have been dropped, thankfully.

Good find RD. I always use puttygen to make a key here locally with atleast a 1024 bits then import it to our machines. At least it's a little safer.

Interesting. I've noticed a large amount of attacks in the recent few weeks. A lot of clients that I've done work with have been getting massive DDoS attacks in some form of this. No kits have been dropped, thankfully.

Not coincidentally, there has been a rash of "drive by" infections. Servers with unpatched vulnerabilities or users with weak passwords are having cross scripting attacks installed that end up infecting browsers that visit the hacked site. I have spent a "little time" cleaning the scripts off friends web sites and teaching them what a secure password is.