SSHD rootKit exploit libkeyutils.so


SSHD rootKit exploit libkeyutils.so


It has recently come to light there is a security exploit that seems to be affecting or targeting Cloud Linux and CentOS systems running cPanel. We believe the exploit is done via SSH server.

SSHD rootKit exploit libkeyutils.so

 

So far cloudlinux know:

Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.

We believe this library is:

Hacker has full root access, and can do absolutely anything with the server. stealing passwords, ssh keys & /etc/shadow from the system used as a backdoor to access server at any time send spam.

Solution: 1

Run the following shell script to find if your server infected.

#vi check.sh

#!/bin/bash

LIB64=/lib64/libkeyutils.so.1.9
LIB64_1=/lib64/libkeyutils-1.2.so.2
LIB32=/lib/libkeyutils.so.1.9
LIB32_1=/lib/libkeyutils-1.2.so.2

if [ -f $LIB64 ]; then
echo The server is compromised, $LIB64 found
exit 0
fi

if [ -f $LIB64_1 ]; then
echo The server is compromised, $LIB64_1 found
exit 0
fi

if [ -f $LIB32 ]; then
echo The server is compromised, $LIB32 found
exit 0
fi

if [ -f $LIB32_1 ]; then
echo The server is compromised, $LIB32_1 found
exit 0
fi

echo "Cannot find compromised library"
exit 1

#chmod 755 check.sh

#sh check.sh

Use the following script to To clean up libkeyutils library.

USE IT AT YOUR OWN RISK, THE SCRIPT WASN’T FULLY TESTED

#vi clean

#!/bin/bash

LIB64_13=/lib64/libkeyutils.so.1.3
LIB64_12=/lib64/libkeyutils-1.2.so
LIB64_1=/lib64/libkeyutils.so.1
LIB32_13=/lib/libkeyutils.so.1.3
LIB32_12=/lib/libkeyutils-1.2.so
LIB32_1=/lib/libkeyutils.so.1
LIB32=""
LIB64=""

LIB64_h1=/lib64/libkeyutils.so.1.9
LIB32_h1=/lib/libkeyutils.so.1.9
LIB64_h2=/lib64/libkeyutils-1.2.so.2
LIB32_h2=/lib/libkeyutils-1.2.so.2

LINK=""
BAD_LIB=""

if [ -f $LIB64_h1 ]; then
BAD_LIB=$LIB64_h1
LIB64="HACK"
fi

if [ -f $LIB64_h2 ]; then
BAD_LIB=$LIB64_h2
LIB64="HACK"
fi

if [ -f $LIB32_h1 ]; then
BAD_LIB=$LIB32_h1
LIB64=""
LIB32="HACK"
fi

if [ -f $LIB32_h2 ]; then
BAD_LIB=$LIB32_h2
LIB64=""
LIB32="HACK"
fi

#echo $BAD_LIB, 64, $LIB64, 32, $LIB32
if [ "x$LIB64" == "xHACK" ]; then
LINK=$LIB64_1
if [ -f $LIB64_12 ]; then
FIX_LIB=$LIB64_12
elif [ -f $LIB64_13 ]; then
FIX_LIB=$LIB64_13
else
echo "Cannot find good libary, giving up"
exit 1
fi
fi

if [ "x$LIB32" == "xHACK" ]; then
LINK=$LIB32_1
if [ -f $LIB32_12 ]; then
FIX_LIB=$LIB32_12
elif [ -f $LIB32_13 ]; then
FIX_LIB=$LIB32_13
else
echo "Cannot find good libary, giving up"
exit 1
fi
fi

if [ ! -z "$FIX_LIB" ]; then
#  echo $LINK, $FIX_LIB $BAD_LIB
rm -f $LINK
ln -s $FIX_LIB $LINK
rm -f $BAD_LIB
echo "Clean up is done, please reboot the server ASAP"
else
echo "Cannot find compromised library"
fi

#chmod 755 clean.sh

#sh clean.sh

Reboot your server.

To protect from these malware

Install CSF/APF firewall and secure your SSH.
Change all of your root passwords and key pairs from a clean computer.
Keep your server software up-to-date.
Disable root logins and/or firewall off your SSH port.
Upgrade Flash and Java on your computers.
Do malware scans on your computers.

Solution: 2

1. SSH to server
2. Run ‘updatedb’
3. Run ‘locate libkeyutils.so.1.9′

Please follow the steps below to clear the expliot.

1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections

For more information, please check with cloud linux blog
http://www.cloudlinux.com/blog/clnews/sshd-exploit.php

Bu cevap yeterince yardımcı oldu mu?

Diğer Dökümanlar


  • What is cPanel and how to access it?

    CPanel is a fully featured web-based control panel that allows you to manage your domain through a web interface. cPanel gives you complete control over a vast amount of functions, streamlining...

  • CloudFlare Plugin install on cpanel

    CloudFlare is a performance and security service. With 14 points of presence around the world, a website on CloudFlare typically loads twice as fast, uses 65% less server resources, saves 60% of...

  • Enable Cronjob in cpanel and examples

    What is cron? It is the scheduling daemon of the Linux operating system Cron jobs allow you to automate repetitive tasks on the server that hosts your web site. This is a powerful tool that allows...

  • What is Anonymous FTP and how to enable it

    Anonymous FTP allows you and others that you give permission to, to access your “public_ftp” folder. There are two options available: 1. ftp://ftp.yourdomain.com –This allows...

  • Unable to connect cpanel using IP/whm and IP/cpanel

    If cpanel cannot be accessed using IP/whm and IP/cpanel, but can be accessed using IP:2086 and IP:2082, then here goes the solution for the same. The reason for this issue due to missing some...