US-CERT warns that Linux PCs are being attacked by a technique that uses stolen SSH keys to gain access to computers then, using a local kernel exploit, a rootkit is installed in order to steal other SSH keys and send them back to the attacker:

According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system. It then uses a local kernel exploit to gain root access, whereupon it installs the "phalanx2" rootkit, derived from the older "phalanx" rootkit. "Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device," explains computer security group Packet Storm on its Web site. "Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot." Once in place, the rootkit steals other SSH keys and sends them to the attacker to facilitate further attacks. SANS Internet Storm Center handler John Bambenek in a blog post said that the weak key vulnerability identified in Debian-based systems a few months ago could be one source of compromised SSH keys. Debian's flawed random number generation, fixed in May, led to keys that were predictable.