Sshd rootkit comments?
-
- Posts: 7
- Joined: 2012/06/21 12:41:55
Sshd rootkit comments?
Any of the support team with more information related to this: http://www.lowendtalk.com/discussion/8146/sshd-rootkit-exploit
Sshd rootkit comments?
The current thinking is that this is a cPanel problem. They have mailed their customer list saying that they've discovered a server in their support department which has been compromised and that anyone who has raised a ticket with them in the last 6 months and allowed cpanel personnel root access to their server is probably also compromised due to credential sniffing. The attackers install a file /lib{,64}/libkeyutils.so.1.9 and then change the /lib{,64}/libkeyutils.so.1 symlink to point to their replacement library instead of the correct version (libkeyutils.so.1.2 on CentOS 5, libkeyutils.so.1.3 on CentOS 6).
If you have a cPanel server in your installation and have raised a ticket with them in the last year then it's worth checking all your servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9 should not exist and if it does then the chances are that you have been compromised. Running `rpm -V keyutils-libs` should return no output (meaning that everything verifies OK).
If the file does exist then it has been sending details of all logins made to this server. If you use this server to ssh onwards to other machines then it's also gathered and sent details of those too.
This is [u]not[/u] an sshd vulnerability, it's a keylogger installed on a support department machine that's been sending login details back to an attacker.
In case of compromise, your next steps are to backup your valuable data and reinstall the server from fresh verified media. You also need to change all ssh keys and all passwords.
If you have a cPanel server in your installation and have raised a ticket with them in the last year then it's worth checking all your servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9 should not exist and if it does then the chances are that you have been compromised. Running `rpm -V keyutils-libs` should return no output (meaning that everything verifies OK).
If the file does exist then it has been sending details of all logins made to this server. If you use this server to ssh onwards to other machines then it's also gathered and sent details of those too.
This is [u]not[/u] an sshd vulnerability, it's a keylogger installed on a support department machine that's been sending login details back to an attacker.
In case of compromise, your next steps are to backup your valuable data and reinstall the server from fresh verified media. You also need to change all ssh keys and all passwords.
-
- Posts: 7
- Joined: 2012/06/21 12:41:55
Re: Sshd rootkit comments?
Thanks, fortunately there are no problems here.
I posted this mainly because i unable to understand how the rootkit was able to install.
So - it is not possible the fake library to be installed remotely, right?
I posted this mainly because i unable to understand how the rootkit was able to install.
So - it is not possible the fake library to be installed remotely, right?
Re: Sshd rootkit comments?
Right now, the consensus is that the rogue library is not installed by way of a CentOS exploit.
As long as you do not use cPanel or, if you do, you haven't raised a ticket with them for > 1 year and given them your login credentials, then you should be safe.
As long as you do not use cPanel or, if you do, you haven't raised a ticket with them for > 1 year and given them your login credentials, then you should be safe.