SSHD Rootkit

[nibb]

Im not infected. I just posted the above info to see if this security hole is related to it.

And if yes, then we can find a patch for it. I don´t know if this is related, but the some the libraries mentioned here as affected, are used with curl, on compilation.

 

[oshs]

Hi,

So has anyone had a server hacked which had SSH password authentication disabled?

Does anyone have any idea of how the privileges are escalated?

What script is being used to do this?

 

[LeadDogGraphics]

No one knows anything yet with any level of certainty. Steven @ rack 911, is thinking it very well could be a workstation key logger on the admins workstation, however that idea is under debate seeing that there were some servers that had key auth only set.

There are a lot of very knowledgeable people looking at this, I would imagine in the next day or two something should come to light.

 

[mcongosto]

Action required:
------------------------------
Our managed cPanel customers need not do anything unless contacted directly
by us. Self managed customers will need to do the following to detect the
file in question and correct the exploit:

1. SSH to server
2. Run 'updatedb'
3. Run 'locate libkeyutils.so.1.9'

Please follow the steps below to clear the expliot.

1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections

In my case, centos 5.9, i had to do

5. ln -s libkeyutils-1.2.so libkeyutils.so.1

 

[Tam]

In my case, centos 5.9, i had to do

5. ln -s libkeyutils-1.2.so libkeyutils.so.1

Sound advice! A number of boxes have been taken out of action thanks to some silly script that someone keeps posting on WHT because it doesn't even check which version is in use. Also if your box has been rooted like this, a reinstall is the wisest thing to do.

 

[Greenhost]

0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9

Have you header about 0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9? It's depends on libkeyutils.so.1.9 and unfortunetly if you going to deleting that you Network will be doen

visite:

http://blog.solidshellsecurity.com/2...yutils-so-1-9/

https://bbs.archlinux.org/viewtopic.php?pid=1234464

 

[Tam]

A new exploit file has been discovered named strings libkeyutils-1.2.so.2

Note that CSF (ConfigServer Firewall) checks for both exploit files from version 5.79

 

[Infopro]

Thanks for the heads up!
ConfigServer Blog » New csf v5.79

 

[Tam]

AVG Free Edition For Linux also detects the exploited files - /http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=171255

 

[lbeachmike]

I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

Does anybody have additional details?

Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

I'm wondering if -

1. Anybody had a similar scenario
2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

Thanks.

Mike

 

[patchwork]

I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

Does anybody have additional details?

Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

I'm wondering if -

1. Anybody had a similar scenario
2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

Thanks.

Mike

I'm in the same position as you, I'm also malware free (scanned with MalwareBytes pro and latest NOD32), I have 2 servers hacked, cPanel, Configserver and the datacenter had copies of the passwords.

 

[southbay]

This is off-subject, but openDNS is blocking the WHT site!!? I'm not a member on WHT so I couldn't post over there, but wonder why?

 

[patchwork]

I've just seen post Web Hosting Talk - View Single Post - FEATURED SSHD Rootkit Rolling around

The hacker rebuilds openSSH

Will Cpanel be forcing a new copy of openSSH out via the upcp cron?

Will upcp or upcp -force put a new copy of openSSH on our servers automatically?

 

[hicom]

I have just seen this vulnerability patch on Red Hat for openssh:

https://rhn.redhat.com/errata/RHSA-2013-0519.html

related?

 

[Infopro]

This is off-subject, but openDNS is blocking the WHT site!!? I'm not a member on WHT so I couldn't post over there, but wonder why?

I use OpenDNS and have access to WHM just fine.

 

[Tam]

I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

Does anybody have additional details?

Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

I'm wondering if -

1. Anybody had a similar scenario
2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

Thanks.

Mike

I'm in the same position as you, I'm also malware free (scanned with MalwareBytes pro and latest NOD32), I have 2 servers hacked, cPanel, Configserver and the datacenter had copies of the passwords.

You are not alone with this, I very much doubt that cPanel have an office full of support personnel, they are probably mostly remote.
Check the source in the headers of any email you received about the issue that lead to them asking for access to your box.

 

[chrismfz]

Any updates over this ?

I've heard lots of scenarios.
a) remote root exploit ? If yes, exploit of what?
a.1) ssh ?
a.2) something else ?

b) infected workstations ? If yes from what ?
b.1) flash ?
b.2) acrobat ?
b.3) something else ?

 

[WhiteDog]

Some open questions on my mind...

- People also reported boxes being hacked which had lpassword logons disabled. This has been debunked?
- Since DirectAdmin boxes were also compromised, I doubt the source is (partly) cPanel staff. I doubt cPanel staff also works for other admin panels and I also doubt this is a coordinated attack.

And last but not least: you're probably already using random passwords. Change them from time to time and especially after you have handed them out for support reasons.

 

[sawbuck]

Take a read here:

ISC Diary | SSHD rootkit in the wild

 

[WhiteDog]

Just received this:

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.

--cPanel Security Team