SSHD Rootkit

Im not infected. I just posted the above info to see if this security hole is related to it.

And if yes, then we can find a patch for it. I don´t know if this is related, but the some the libraries mentioned here as affected, are used with curl, on compilation.

 

Hi,

So has anyone had a server hacked which had SSH password authentication disabled?

Does anyone have any idea of how the privileges are escalated?

What script is being used to do this?

 

No one knows anything yet with any level of certainty. Steven @ rack 911, is thinking it very well could be a workstation key logger on the admins workstation, however that idea is under debate seeing that there were some servers that had key auth only set.

There are a lot of very knowledgeable people looking at this, I would imagine in the next day or two something should come to light.

 

In my case, centos 5.9, i had to do

5. ln -s libkeyutils-1.2.so libkeyutils.so.1

 

Sound advice! A number of boxes have been taken out of action thanks to some silly script that someone keeps posting on WHT because it doesn't even check which version is in use. Also if your box has been rooted like this, a reinstall is the wisest thing to do.

 

0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9

Have you header about 0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9? It's depends on libkeyutils.so.1.9 and unfortunetly if you going to deleting that you Network will be doen

visite:

http://blog.solidshellsecurity.com/2...yutils-so-1-9/

https://bbs.archlinux.org/viewtopic.php?pid=1234464

 

A new exploit file has been discovered named strings libkeyutils-1.2.so.2

Note that CSF (ConfigServer Firewall) checks for both exploit files from version 5.79

 

AVG Free Edition For Linux also detects the exploited files - /http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=171255

 

I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

Does anybody have additional details?

Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

I'm wondering if -

1. Anybody had a similar scenario
2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

Thanks.

Mike

 

I'm in the same position as you, I'm also malware free (scanned with MalwareBytes pro and latest NOD32), I have 2 servers hacked, cPanel, Configserver and the datacenter had copies of the passwords.

 

This is off-subject, but openDNS is blocking the WHT site!!? I'm not a member on WHT so I couldn't post over there, but wonder why?

 

I've just seen post Web Hosting Talk - View Single Post - FEATURED SSHD Rootkit Rolling around

The hacker rebuilds openSSH

Will Cpanel be forcing a new copy of openSSH out via the upcp cron?

Will upcp or upcp -force put a new copy of openSSH on our servers automatically?

 

I have just seen this vulnerability patch on Red Hat for openssh:

https://rhn.redhat.com/errata/RHSA-2013-0519.html

related?

 

You are not alone with this, I very much doubt that cPanel have an office full of support personnel, they are probably mostly remote.
Check the source in the headers of any email you received about the issue that lead to them asking for access to your box.

 

Any updates over this ?

I've heard lots of scenarios.
a) remote root exploit ? If yes, exploit of what?
a.1) ssh ?
a.2) something else ?

b) infected workstations ? If yes from what ?
b.1) flash ?
b.2) acrobat ?
b.3) something else ?

 

Some open questions on my mind...

- People also reported boxes being hacked which had lpassword logons disabled. This has been debunked?
- Since DirectAdmin boxes were also compromised, I doubt the source is (partly) cPanel staff. I doubt cPanel staff also works for other admin panels and I also doubt this is a coordinated attack.

And last but not least: you're probably already using random passwords. Change them from time to time and especially after you have handed them out for support reasons.

 

Take a read here:

ISC Diary | SSHD rootkit in the wild

 

Just received this: