All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
sshd rootkit / exploit
Hi Folks,
I was alerted to this by the nice folks at http://racksrv.com (Thanks Jon/Lee)
Just putting some info out there for those who has not spotted the topic else where as yet.
Further info:
http://status.racksrv.com/2013/02/19/new-sshd-rootkit
http://forums.cpanel.net/f185/sshd-rootkit-323962.html
http://www.webhostingtalk.com/showthread.php?t=1235797
Seems info has been floating around for 4 days now although I am only just now reading through everything.
Anyone that is already aware of this please feel free to add some additional info/summery.
From what I am reading in th elast few minutes it is an issue with libkeyutils.so.1.9 (32 and 64bit) which allows spam to be sent via the server, seems to mainly affect cPanel on CENT/CloudLinux and possibly other LAMP stacks.
If you have some users that have started spamming and are unaware of how this has happened you may want to have them run the script included in the first link provided by Lee at racksrv.com
Ant.
Comments
All Debian here, so should be safe. Good luck to everyone running RHEL, hope it ends up well
wget http://status.racksrv.com/ssh_rootchk.sh && sh ssh_rootchk.sh && rm -f ssh_rootchk.sh
For those that are lazy, like me.
Thanks for notifying us Ant.
Just seen the lib on a debian hostnode... anyone else see it on debian?
Keyutils is a set of utilities for managing the key retention facility in the
kernel, which can be used by filesystems, block devices and more to gain and
retain the authorization and encryption keys required to perform secure
operations.
.
This package provides a wrapper library for the key management facility system
calls.
I have just been assured that this does not affect debian on #lowendbox irc/freenode.
The rational behind it not affecting debian is: "centos sucks"
@MiguelQ what about libkeyutils.so.1.9?
Cool :P
I only agree with the 6.x part.
Anyway, http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/ has some good text about it too.
Not at squeeze. The one at wheezy is named libkeyutils.so.1.4
Why? Do you have it?
This box is running squeeze & Xen 4.0 w/ a few VM's
root@vhost01 /lib # locate libkey
/lib/libkeyutils.so.1
/lib/libkeyutils.so.1.3
/lib/libkeyutils.so.1.9
Cpanel VM on it also has
root@webserver [~]# locate libkey
/home/virtfs/raindrop/lib/libkeyutils.so.1
/home/virtfs/raindrop/lib/libkeyutils.so.1.3
/home/virtfs/raindrop/lib/libkeyutils.so.1.9
/lib/libkeyutils.so.1
/lib/libkeyutils.so.1.3
/lib/libkeyutils.so.1.9
So far neither the HN or the vm are sending and traffic out..
Interesting, what does /lib/libkeyutils.so.1 points to?
Also, do this
lrwxrwxrwx 1 root root 18 Nov 16 22:05 libkeyutils.so.1 -> libkeyutils.so.1.9
*****... Game Over?
hm is that supposed to be a local or remote exploit?
I run Ubuntu Server so no problems, though I have been eyeing a cPanel server, so that could be problematic. Any fix known as yet?
@BradND it should be linking to libkeyutils.so.1.3 on stock squeeze.
On my box that lib is currently opened by named, sshd and kvm. I suggest you take a good look at what processes have it open and begin halting them.
Halt, remove, link the original one back and start looking for traces of how it got into the first place
Here's the MD5 of the original so you can compare...
As far as I know, the lib is a
As you can see from above, it is used by processes which allow remote auth, such as sshd. A modified version of that lib could well be allowing remote access via sshd to unauthorized parties to the host affected on the worst case. Best case it is being used to send SPAM (as it has been reported) triggered by the auth handshake (my guess).
Would love to have a copy of said lib to do forensics on it. @BrianND could you mail it to me?
Md5 looks alright, but..
Sigh... time to do a little digging i guess
This is why the cpanel forum is a good place to frequent even if you don't use it. Often one of the first targets of RHEL based exploits.
@MiguelQ Sure, pm me your email
@BradND is that 32 or 64 bit you have running?
root@vhost01 /var/www # uname -ar
Linux vhost01.redacted.com 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux
@BradND
The bash script is extremely simple but...
root@vhost01 /var/www # wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
The server is compromised, /lib64/libkeyutils.so.1.9 found
Not sure that's a good sign...
@BradND Watch outgoing connections to tcp_78.47.139.110:53 It tries that after successful ssh login. Probably getting instructions
78.47.139.110 is in libkeyutils.so.1.9 so yeah... most definite.