 |
| SSH exploit |
We are aware of the recent SSHD expliot that is effecting cpanel with cloudlinux and centos servers. It is also reported that plesk, DA and non RHEL distributions are also effected.
These exploits are done via SSH server. In 64 bit and 32 bit servers, rootkits will deposit /lib64/libkeyutils.so.1.9 and /lib/libkeyutils.so.1.9 respectively and will change the link /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
For non-effected servers, it will be as given below.
===============
root@server [~]# ls -ld /lib64/libkeyutils.so*
lrwxrwxrwx 1 root root 18 Apr 23 2012 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*
================
This expoit may results in stealing the passwords, ssh key, /etc/shadow , spamming or can act as a backdoor to your server.
Cloudlinux had released the following script to test whether your servers is infected or not.
You can see if your server is infected by running:
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN'T FULLY TESTED
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash
and reboot the server
There is a chance to re-infect the servers again. In order to prevent this, you will have to block ssh from public and allow only to the IP's that are needed. Also you need to update the passwords and ssh keys which will prevent it from happening again.
Detailed description on this topic is discussed at
http://www.webhostingtalk.com/showthread.php?t=1235797
http://forums.cpanel.net/f185/sshd-rootkit-323962-p6.html
No comments:
Post a Comment