Sshd rootkit comments?

Support for security such as Firewalls and securing linux
Post Reply
mx_starter
Posts: 7
Joined: 2012/06/21 12:41:55

Sshd rootkit comments?

Post by mx_starter » 2013/02/25 11:47:54

Any of the support team with more information related to this: http://www.lowendtalk.com/discussion/8146/sshd-rootkit-exploit

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Sshd rootkit comments?

Post by TrevorH » 2013/02/25 12:42:06

The current thinking is that this is a cPanel problem. They have mailed their customer list saying that they've discovered a server in their support department which has been compromised and that anyone who has raised a ticket with them in the last 6 months and allowed cpanel personnel root access to their server is probably also compromised due to credential sniffing. The attackers install a file /lib{,64}/libkeyutils.so.1.9 and then change the /lib{,64}/libkeyutils.so.1 symlink to point to their replacement library instead of the correct version (libkeyutils.so.1.2 on CentOS 5, libkeyutils.so.1.3 on CentOS 6).

If you have a cPanel server in your installation and have raised a ticket with them in the last year then it's worth checking all your servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9 should not exist and if it does then the chances are that you have been compromised. Running `rpm -V keyutils-libs` should return no output (meaning that everything verifies OK).

If the file does exist then it has been sending details of all logins made to this server. If you use this server to ssh onwards to other machines then it's also gathered and sent details of those too.

This is [u]not[/u] an sshd vulnerability, it's a keylogger installed on a support department machine that's been sending login details back to an attacker.

In case of compromise, your next steps are to backup your valuable data and reinstall the server from fresh verified media. You also need to change all ssh keys and all passwords.

mx_starter
Posts: 7
Joined: 2012/06/21 12:41:55

Re: Sshd rootkit comments?

Post by mx_starter » 2013/02/25 14:05:01

Thanks, fortunately there are no problems here.
I posted this mainly because i unable to understand how the rootkit was able to install.
So - it is not possible the fake library to be installed remotely, right?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sshd rootkit comments?

Post by TrevorH » 2013/02/25 14:25:02

Right now, the consensus is that the rogue library is not installed by way of a CentOS exploit.

As long as you do not use cPanel or, if you do, you haven't raised a ticket with them for > 1 year and given them your login credentials, then you should be safe.

Post Reply