SSHD Exploit

Many of you are aware of SSHD exploit going around hosting comunity. It seems to affect servers running CloudLinux, CentOS & cPanel.

There are also reports of DirectAdmin, Plesk & non-RHEL based distributions being affected.

Detailed discussion can be found here: http://www.webhostingtalk.com/showthread.php?t=1235797

We believe the exploit is done via SSH server.

So far we know:

Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems

It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.

We believe this library is:

stealing passwords, ssh keys & /etc/shadow from the system

used as a backdoor to access server at any time

send spam

We have seen the change in the payload over time. Hacker has full root access, and can do absolutely anything with the server.

We have noticed that once cleaned up, servers often get re-infected.

Kaip patikrinti ar naudojat:

#!/bin/bash

LIB64=/lib64/libkeyutils.so.1.9
LIB32=/lib/libkeyutils.so.1.9

if [ -f $LIB64 ]; then
 echo The server is compromised, $LIB64 found
 exit 0
fi

if [ -f $LIB32 ]; then
 echo The server is compromised, $LIB32 found
 exit 0
fi
echo "Cannot find compromised library"
exit 1

IŠVALYTI - DĖMĖSIO ŠĮ VEIKSMĄ ATLIEKATE SAVO RIZIKA:

#!/bin/bash

LIB64=/lib64/libkeyutils.so.1.9
LIB64_13=/lib64/libkeyutils.so.1.3
LIB64_12=/lib64/libkeyutils.so.1.2
LIB64_1=/lib64/libkeyutils.so.1
LIB32=/lib/libkeyutils.so.1.9
LIB32_13=/lib/libkeyutils.so.1.3
LIB32_12=/lib/libkeyutils.so.1.2
LIB32_1=/lib/libkeyutils.so.1
LINK=""
BAD_LIB=""


if [ -f $LIB64 ]; then
 LINK=$LIB64_1
 BAD_LIB=$LIB64
 if [ -f $LIB64_12 ]; then
   FIX_LIB=$LIB64_12
 elif [ -f $LIB64_13 ]; then
   FIX_LIB=$LIB64_13
 else
   echo "Cannot find good libary, giving up"
 fi
fi

if [ -f $LIB32 ]; then
 BAD_LIB=$LIB64
 LINK=$LIB32_1
 if [ -f $LIB32_12 ]; then
   FIX_LIB=$LIB32_12
 elif [ -f $LIB32_13 ]; then
   FIX_LIB=$LIB32_13
 else
   echo "Cannot find good libary, giving up"
 fi
fi

if [ ! -z "$FIX_LIB" ]; then
#  echo $LINK, $FIX_LIB $BAD_LIB
 rm -f $LINK
 ln -s $FIX_LIB $LINK
 rm -f $BAD_LIB
 echo "Clean up is done, please reboot the server ASAP"
else
 echo "Cannot find compromised library"
fi

Restartuokite savo serverį.