0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9

[Greenhost]

Have you header about 0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9? It's depends on libkeyutils.so.1.9 and unfortunetly if you going to deleting that you Network will be doen

visite:

http://blog.solidshellsecurity.com/2...yutils-so-1-9/

https://bbs.archlinux.org/viewtopic.php?pid=1234464

 

[chatwizrd]

How does it get on the machine in the first place.

 

[Richard G]

They only know one possibility until yet:

One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.

Most people have updated to 4.80.1 october last year. So that is one.
Also systems with CageFS installed were hacked.

However, if you have csf/lfd installed, it was already implemented to watch for this library 3 versions ago:

Added new LF_EXPLOIT check SSHDSPAM to check for the existence of
/lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See:
http://www.webhostingtalk.com/showthread.php?t=1235797

We're at 5.79 at the moment.

However, this can be dangerous too:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0871

 

[ditto]

It seems very very likely that the compromised servers is compromised because the desktop pc to admins is infected, and not becaus of any vulnerability on the server itself. Please read these three post wich support that:

http://www.webhostingtalk.com/showpost.php?p=8567829&postcount=978

http://www.webhostingtalk.com/showpost.php?p=8567877&postcount=995

http://www.webhostingtalk.com/showpost.php?p=8567905&postcount=1000

But it gets worse! One of the cPanel (the company) servers was also infected by this, and every time cPanel technical support log in to any server from that desktop, the root password of the server would be sent to the hacker!

Here is quote from email cPanel sent out:

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.

Read more about it here: http://www.webhostingtalk.com/showthread.php?t=1240325 - I feel bad for the victims of cPanel support, but I could not care less about cPanel (company) iteself, I am a very happy DirectAdmin customer!

 

[Richard G]

That shows how important it is to regularly scan your windows desktops (if present) with a good malware scanner like Malware bytes. I scan it at least once a month.

We got a Cpanel server amongst the servers too, but we did not contact support in the last year or 2.