Possible 0-day vulnerability being exploited

I started getting some emails from our cpanel server, indicating syslogd and exim were failing.

When I logged into the server, I noticed strong indications of a misapplied root kit. When I ran ps, top, ls, netstat, md5sum, etc...I get "ELF binary type 0 not known". But not for everything, just certain typically rootkitted binaries.

See, we run cpanel on FreeBSD 8. That message is typical of trying to run a linux binary in that environment. Somebody applied a Linux rootkit to our FreeBSD cpanel box. This makes me suspect that the actual vulnerability is not OS-specific, or they wouldn't have been using the wrong rootkit.

Investigating further confirmed my suspicions; the files were the wrong size and owned by the wrong UID.

Unfortunately, I did not have time to do much in the way of forensics; I restored from backup to get our users back online.

Looking through the system, post "restore over top" (and not to a clean drive)I'm seeing this:

cpanel# find / -uid 102
/lib/libsh.so/shhk
/lib/libsh.so/shhk.pub
/lib/libsh.so/shrs
/sbin/ttyload
/sbin/ttymon
/usr/lib/libsh/.bashrc
/usr/lib/libsh/.sniff/shsniff
/usr/lib/libsh/.sniff/shp
/usr/lib/libsh/shsb
/usr/lib/libsh/hide

We have cpanel update nightly. It was running 11.28.42 at the time of the attack, I ran a manual update afterword and it's now on 11.28.45 (but nothing in the changelog indicates anything noteworthy).

I'm going to look into it further, but I wanted to get this out there ASAP, because my gut feeling is there is a new 0-day being exploited.

 

By ssh sniffer, I'm assuming you mean a man-in-the-middle attack? Because I'm not aware of any recent ssh protocol vulnerabilities that we could have somehow been subject to.

Regarding "mitm attacks", I do not believe that is how they gained access to the server, as we only have a handful of people hosted on the cpanel server, and none access their account via ssh. Plus, that would then require them to get root locally once they compromised a user account, which would in turn require them understanding it was a FreeBSD server (and would require them exploiting a bug which is currently unpublished), all of which is contra-indicated by the use of a linux rootkit.


I understand there is no evidence at this point as to where the vulnerability is...all I know is I run a datacenter with countless FreeBSD servers, and none of those got hacked. Just the one running cpanel.