Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSHD Rootkit

Discussion in 'Security' started by prajithp13, Feb 16, 2013.

Thread Status:
Not open for further replies.
  1. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    316
    Likes Received:
    5
    Trophy Points:
    68
    Im not infected. I just posted the above info to see if this security hole is related to it.

    And if yes, then we can find a patch for it. I don´t know if this is related, but the some the libraries mentioned here as affected, are used with curl, on compilation.
     
  2. oshs

    oshs Well-Known Member PartnerNOC

    Joined:
    Sep 5, 2004
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    166
    Hi,

    So has anyone had a server hacked which had SSH password authentication disabled?

    Does anyone have any idea of how the privileges are escalated?

    What script is being used to do this?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. LeadDogGraphics

    LeadDogGraphics Well-Known Member

    Joined:
    Feb 25, 2012
    Messages:
    97
    Likes Received:
    1
    Trophy Points:
    58
    Location:
    West Palm Beach, FL
    cPanel Access Level:
    Root Administrator
    No one knows anything yet with any level of certainty. Steven @ rack 911, is thinking it very well could be a workstation key logger on the admins workstation, however that idea is under debate seeing that there were some servers that had key auth only set.

    There are a lot of very knowledgeable people looking at this, I would imagine in the next day or two something should come to light.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. mcongosto

    mcongosto Member

    Joined:
    Aug 1, 2011
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    53
    In my case, centos 5.9, i had to do

    5. ln -s libkeyutils-1.2.so libkeyutils.so.1
     
  5. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    108
    Likes Received:
    1
    Trophy Points:
    168
    Sound advice! A number of boxes have been taken out of action thanks to some silly script that someone keeps posting on WHT because it doesn't even check which version is in use. Also if your box has been rooted like this, a reinstall is the wisest thing to do.
     
  6. Greenhost

    Greenhost Well-Known Member

    Joined:
    Jan 22, 2013
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    108
    Likes Received:
    1
    Trophy Points:
    168
    A new exploit file has been discovered named strings libkeyutils-1.2.so.2

    Note that CSF (ConfigServer Firewall) checks for both exploit files from version 5.79
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,943
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    108
    Likes Received:
    1
    Trophy Points:
    168
    AVG Free Edition For Linux also detects the exploited files - /http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=171255
     
    #49 Tam, Feb 21, 2013
    Last edited: Feb 21, 2013
  10. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

    Does anybody have additional details?

    Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

    I'm wondering if -

    1. Anybody had a similar scenario
    2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

    Thanks.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. patchwork

    patchwork Well-Known Member

    Joined:
    Nov 2, 2001
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    316
    I'm in the same position as you, I'm also malware free (scanned with MalwareBytes pro and latest NOD32), I have 2 servers hacked, cPanel, Configserver and the datacenter had copies of the passwords.
     
  12. southbay

    southbay Member

    Joined:
    Aug 17, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    This is off-subject, but openDNS is blocking the WHT site!!? I'm not a member on WHT so I couldn't post over there, but wonder why?
     
  13. patchwork

    patchwork Well-Known Member

    Joined:
    Nov 2, 2001
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    316
  14. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    287
    Likes Received:
    2
    Trophy Points:
    168
  15. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,943
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I use OpenDNS and have access to WHM just fine.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    108
    Likes Received:
    1
    Trophy Points:
    168

    You are not alone with this, I very much doubt that cPanel have an office full of support personnel, they are probably mostly remote.
    Check the source in the headers of any email you received about the issue that lead to them asking for access to your box.
     
  17. chrismfz

    chrismfz Well-Known Member

    Joined:
    Jul 4, 2007
    Messages:
    125
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    Any updates over this ?

    I've heard lots of scenarios.
    a) remote root exploit ? If yes, exploit of what?
    a.1) ssh ?
    a.2) something else ?

    b) infected workstations ? If yes from what ?
    b.1) flash ?
    b.2) acrobat ?
    b.3) something else ?
     
  18. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    137
    Likes Received:
    3
    Trophy Points:
    68
    Some open questions on my mind...

    - People also reported boxes being hacked which had lpassword logons disabled. This has been debunked?
    - Since DirectAdmin boxes were also compromised, I doubt the source is (partly) cPanel staff. I doubt cPanel staff also works for other admin panels and I also doubt this is a coordinated attack.

    And last but not least: you're probably already using random passwords. Change them from time to time and especially after you have handed them out for support reasons.
     
  19. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
  20. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    137
    Likes Received:
    3
    Trophy Points:
    68
    Just received this:

     
Loading...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice