Is any DA-servers affected by this? [libkeyutils.so.1.9]

D

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,354
There is a very interesting thread at Webhostingtalk right now. If you find this file in your server, your server is infected: libkeyutils.so.1.9 (the file does not exist in any official repository). If you only find libkeyutils.so.1.3, you would not be infected. Please read the thread here: http://www.webhostingtalk.com/showthread.php?t=1235797

So far it has not been any reports of DirectAdmin servers infected by this, but it seems that it is a unknown security issue in either CentOS or cPanel, nobody knows how the hackers are getting in the first place, only that if you find libkeyutils.so.1.9 in your server, your server would be compromised.

You can run these commands to check if your server has libkeyutils.so.1.9 or not:

Code: 
updatedb
locate libkeyutils.so.1.9

I ask if any of you find this file in your server or not? If nobody does, then the unknown security issue might not affect DirectAdmin servers. I have three DirectAdmin servers running CentOS 6.3 64bit, and none of them is affected yet.
 
Last edited:
Sounds like something to look out for. But is the link between libkeyutils.so.1.9 and that zero day confirmed?
 
No, I have not read/seen anybody that is confirming that CVE-2013-0871 is the reason for the libkeyutils.so.1.9-compromised servers. I don't think anybody know how this is happening yet. But maybe it is likely that CVE-2013-0871 is the reason, it sure thing seems to be serious enough. I am just watching and reading what all other is saying/doing, and hope that we will soon have a answer.
 
I am following the thread on wht com.
But I am wondering if there are any directadmin servers compromised by this hack?

I am closely monitoring ours, they seem ok ...
 
I have read all 30 pages at webhostingtalk.com, and there is only one report of a DirectAdmin server being compromised by this. It is user "egillette" wich claim that one of his servers running DirectAdmin has the file libkeyutils.so.1.9, here is the post: http://www.webhostingtalk.com/showpost.php?p=8560854&postcount=124

The only thing that seem very reliable, is that by all the reports in the discussion, all of them is running RHEL-based servers, both 5.x and 6.x, and both 32 and 64 bit.
 
my server has infected by this... :(
what's the best way to resolve this issue?
please help me
 
@tarsiran - there is a temporary fix and someone made a script for it, please read these three forum post:

http://www.webhostingtalk.com/showpost.php?p=8563864&postcount=299

http://www.webhostingtalk.com/showpost.php?p=8565029&postcount=454

http://www.webhostingtalk.com/showpost.php?p=8565235&postcount=482 (it is the same script in all three links, but read them all, and then use the command in this newest post)

Can you please run the following command and post the output here, so that we can try to learn how the hackers get in? Please post the output of this, please copy/paste everything so that we can see what versions you are running:

Code: 
cd /usr/local/directadmin/custombuild
./build versions
 
Last edited:
@tarsiran, also, what OS are you running, is it CentOS? Do you have the latest kernel from CentOS installed, or a older one? Also, please confirm that you did find /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9 file in your server? If you only find /lib64/libkeyutils.so.1.3 or /lib/libkeyutils.so.1.3, then you are not infected.
 
Finally it seems the mysteri is solved http://www.webhostingtalk.com/showpost.php?p=8567829&postcount=978

nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

IP's all match the suspect IP's here.

If you have a server affected by this, your workstation has been compromised.
Click to expand...

So if you run Java, Adobe Flash Player or Adobe Reader on your computer, you should scan your computer, if you are clean your servers should be safe from this. :) Personally I never have any of those installed on my desktop.
 
ditto said:
@tarsiran - there is a temporary fix and someone made a script for it, please read these three forum post:

http://www.webhostingtalk.com/showpost.php?p=8563864&postcount=299

http://www.webhostingtalk.com/showpost.php?p=8565029&postcount=454

http://www.webhostingtalk.com/showpost.php?p=8565235&postcount=482 (it is the same script in all three links, but read them all, and then use the command in this newest post)

Can you please run the following command and post the output here, so that we can try to learn how the hackers get in? Please post the output of this, please copy/paste everything so that we can see what versions you are running:

Code: 
cd /usr/local/directadmin/custombuild
./build versions
Click to expand...

[root@xlhost custombuild]# ./build versions
Latest version of DirectAdmin: 1.42.1
Installed version of DirectAdmin: 1.42.1

Latest version of Apache: 2.2.23
Installed version of Apache: 2.2.23

Latest version of PCRE: 8.20
Installed version of PCRE: 8.20

Latest version of FreeType: 2.4.11
Installed version of FreeType: 2.4.11

Latest version of dovecot: 2.1.12
Installed version of dovecot: 2.1.12

Latest version of Exim: 4.80.1
Installed version of Exim: 4.80.1

Latest version of ClamAV: 0.97.6
Installed version of ClamAV: 0.97.6

Latest version of MySQL: 5.1.67
Installed version of MySQL: 5.1.67

Latest version of PHP (CLI): 5.2.17
Installed version of PHP (CLI): 5.2.17

Latest version of Atmail: 1.04
Installed version of Atmail: 1.04

Latest version of RoundCube webmail: 0.8.4
Installed version of RoundCube webmail: 0.8.4

Latest version of phpMyAdmin: 3.5.5-all-languages
Installed version of phpMyAdmin: 3.5.5-all-languages

Latest version of SquirrelMail: 1.4.22
Installed version of SquirrelMail: 1.4.22
 
ditto said:
Finally it seems the mysteri is solved http://www.webhostingtalk.com/showpost.php?p=8567829&postcount=978



So if you run Java, Adobe Flash Player or Adobe Reader on your computer, you should scan your computer, if you are clean your servers should be safe from this. :) Personally I never have any of those installed on my desktop.
Click to expand...

i have lastet version of avast security and trojan remover on my pc but can't find anything...
which software should i use to scan my pc?
 
tarsiran said:
[root@xlhost custombuild]
Latest version of phpMyAdmin: 3.5.5-all-languages
Installed version of phpMyAdmin: 3.5.5-all-languages
Click to expand...

That was very strange, because the latest version of phpMyAdmin is 3.5.7, and 3.5.7 is available in custombuild (at least for me).
 
tarsiran said:
i have lastet version of avast security and trojan remover on my pc but can't find anything...
which software should i use to scan my pc?
Click to expand...

Two year ago I used Avast, but I don't think it is the best choise any longer. Instead I am now using Microsoft Security Essentials http://www.microsoft.com/security_essentials/ - but please remember that you should not have more then one antivirus software installed at the same time, so if you want to install Microsoft Security Essentials, then you should first uninstall Avast. You could try it and see if it finds anything Avast did not find. I can't really advice about this, maybe someone else have some advice. Maybe your computer was infected several months ago, but is clean now? Maybe your server was infected several months ago too?

My advice would be to be absolutely sure that your home computer is clean first (maybe even format the hard drive and install Windows again?), and then rebuild your server and import backup of DirectAdmin user account. I wish you good luck. Hopefully someone else can advice more.
 
tarsiran said:
:( so what should i do right now dude?
Click to expand...

Regarding that you don't have the newest phpMyAdmin available in custombuild, you could try to run ./build update to see if that changes anything? But that should not be your consern at the moment, it is more important that you work on the problem about the server being compromised. But here is the code:

Code: 
cd /usr/local/directadmin/custombuild
./build update
./build versions

And then see if it say a newer version of phpMyAdmin is available or not? If not, I think the DirectAdmin mirror that you are connected to is not correctly updated. But that is only a guess.
 
Last edited:
ditto said:
Two year ago I used Avast, but I don't think it is the best choise any longer. Instead I am now using Microsoft Security Essentials http://www.microsoft.com/security_essentials/ - but please remember that you should not have more then one antivirus software installed at the same time, so if you want to install Microsoft Security Essentials, then you should first uninstall Avast. You could try it and see if it finds anything Avast did not find. I can't really advice about this, maybe someone else have some advice. Maybe your computer was infected several months ago, but is clean now? Maybe your server was infected several months ago too?

My advice would be to be absolutely sure that your home computer is clean first (maybe even format the hard drive and install Windows again?), and then rebuild your server and import backup of DirectAdmin user account. I wish you good luck. Hopefully someone else can advice more.
Click to expand...
thanks so much dear ditto
but i have about 400 account on my server and i don't like to os reload :( i wanna fix problem and prevent maleware

[root@xlhost custombuild]# ls -lah /lib64 | grep libkey
lrwxrwxrwx 1 root root 18 Feb 20 06:08 libkeyutils.so.1 -> libkeyutils.so.1.
9
-rwxr-xr-x 1 root root 10K Jun 22 2012 libkeyutils.so.1.3
---------- 1 root root 34K Feb 19 21:45 libkeyutils.so.1.9
 
ditto said:
Regarding that you don't have the newest phpMyAdmin available in custombuild, you could try to run ./build update to see if that changes anything? But that should not be your consern at the moment, it is more important that you work on the problem about the server being compromised. But here is the code:

Code: 
cd /usr/local/directadmin/custombuild
./build update
./build versions

And then se if it say a newer version of phpMyAdmin is available or not? If not, I think the DirectAdmin mirror that you are connected to is not correctly updated. But that is only a guess.
Click to expand...
i had tried this and now show me:

[root@xlhost custombuild]# ./build versions
Latest version of DirectAdmin: 1.42.1
Installed version of DirectAdmin: 1.42.1

Latest version of Apache: 2.2.23
Installed version of Apache: 2.2.23

Latest version of PCRE: 8.20
Installed version of PCRE: 8.20

Latest version of FreeType: 2.4.11
Installed version of FreeType: 2.4.11

Latest version of dovecot: 2.1.15
Installed version of dovecot: 2.1.12

Dovecot 2.1.12 to 2.1.15 update is available.

Latest version of Exim: 4.80.1
Installed version of Exim: 4.80.1

Latest version of ClamAV: 0.97.6
Installed version of ClamAV: 0.97.6

Latest version of MySQL: 5.1.68
Installed version of MySQL: 5.1.67

MySQL 5.1.67 to 5.1.68 update is available.

Latest version of PHP (CLI): 5.2.17
Installed version of PHP (CLI): 5.2.17

Latest version of Atmail: 1.04
Installed version of Atmail: 1.04

Latest version of RoundCube webmail: 0.8.5
Installed version of RoundCube webmail: 0.8.4

RoundCube webmail 0.8.4 to 0.8.5 update is available.

Latest version of phpMyAdmin: 3.5.7-all-languages
Installed version of phpMyAdmin: 3.5.5-all-languages

phpMyAdmin 3.5.5-all-languages to 3.5.7-all-languages update is available.

Latest version of SquirrelMail: 1.4.22
Installed version of SquirrelMail: 1.4.22

If you want to update all the available versions run: ./build update_versions
 
You must log in or register to reply here.
Back
Top