marsm

Member
Jan 17, 2013
10
0
1
cPanel Access Level
Root Administrator
I received the following email from my hosts - I have a dedicated centos server with cpanel. I have been informed that was a fault with cpanel and that I now have malware and the only fix is to reinstall the os. This is a massive process, and I cannot believe there isn't a fix for this that does not entail an os reinstall. Any advice would be greatly appreciated.

Here's the email:

The malware we are talking about is a system base infection (sshd) that provide a backdoor root access to a hacker, spy and steal password.

This is why we invite you to re-install the server.

Thank you to provide us the result of the following commands:

# procnumber=$(ps aux | grep "/usr/sbin/sshd" | grep -v grep | awk '{print $2}') && gcore $procnumber && strings -a core.$procnumber | egrep "Version 1.3|g:sshd:1|key:1|g:%s:%s|u:%s:%s|ssh:1|getspnam|ekfwbqltizpdvurjnacshxogym|Sniffing packet"

# rpm -V keyutils-libs

# lsof -Pni | grep


More discussion on (cpanel forum):
Determine Your System's Status
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
The SSHD backdoor has nothing to do with cPanel. It can be installed on any machine running SSHD if the machine was compromised on a root level.

Sorry to say it, but if a server is compromised on a root level you really should let them reinstall the OS. Yes, you could replace the compromised SSHD library (libkeyutils) and restart the service to remove that backdoor, but there is no telling what other areas of your system may be compromised beyond repair.

I'd start here:
Determine Your System's Status

If the rpm verification for libkeyutils fails or the symlink goes to a file that does not belong to an RPM, your system is indeed owned (rooted) and you should reinstall your OS.
 

marsm

Member
Jan 17, 2013
10
0
1
cPanel Access Level
Root Administrator
Thanks for the insights and advice guys - I'm probably going to do a reinstall shortly; how do I protect myself so that this doesn't happen again?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Security advisor is a good place to start.

Root compromises usually result from either out-dated kernel versions allowing a web app hack to escalate priveleges, or a compromise of the root password.

The first is easy to defend against; when a new kenel comes out, install it and reboot to make it active.

The second you can help with by doing things like disallowing direct root ssh login, and firewalling your WHM port off to only trusted IP addresses.