Saturday, February 23, 2013

sshd rootkit exploit reported

Recently sshd rootkit exploited in cPanel , CentOs, CloudLinux , DirectAdmin, Plesk etc.

Once this happened hackers can steal passwords, ssh keys ,  /etc/shadow and they will get the server access and do spamming in your server.

For 64 bit servers

 /lib64/libkeyutils.so.1.9

For 32 bit servers

 /lib/libkeyutils.so.1.9

For non effected server it should be

[~]# ls -la /lib64/libkeyutils*
-rwxr-xr-x 1 root root 9472 Jan  6  2007 /lib64/libkeyutils-1.2.so*
lrwxrwxrwx 1 root root   18 Aug 24 11:26 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*

You can check your server is infected or not using the following command
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

Ajeesh.server10.net #                                                                                                                                                    
Cannot find compromised library

If your server is infected please execute the following command:
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash

Also you can check the integrity of this file using rpm commands , whether there is any patch over written with your existing libkey-utils package.

 root@server [/]# rpm -Vv keyutils-libs-1.2-1.el5
........    /lib/libkeyutils-1.2.so
........    /lib/libkeyutils.so.1
........    /usr/share/doc/keyutils-libs-1.2
........  d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL
........    /lib64/libkeyutils-1.2.so
........    /lib64/libkeyutils.so.1
........    /usr/share/doc/keyutils-libs-1.2
........  d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL

From the above output we can see that the package installed on our server is not modified with any patches.

If your output something like
S.5.....    /lib/libkeyutils.so.1

It is vulnerable and you need to update your server as fast as possible.
Posted by at No comments:

Saturday, February 9, 2013

'YUM', failed

!! The server's system package manager, 'YUM', failed. !!

!!
This is the command that failed: yum --exclude=kernel* -y install

Solution:

I have added kernel* in /etc/yum.conf file and done the following steps.

yum clean metadata
yum clean all
Posted by at No comments:

Thursday, February 7, 2013

Sphinx Open Source Search Server

Recently i have installed Sphinx search engine in my cPanel server.


]# yum install sphinx.x86_64
Which ended with the following error.
 
Error: Missing Dependency: libmysqlclient.so.15()(64bit) is needed by package sphinx-0.9.9-1.el5.rf.x86_64 (rpmforge)
Error: Missing Dependency: libmysqlclient.so.15(libmysqlclient_15)(64bit) is needed by package sphinx-0.9.9-1.el5.rf.x86_64 (rpmforge)

So i have gone for a manual installation.

1. /usr/local/src/]# wget http://sphinxsearch.com/files/sphinx-2.0.4-release.tar.gz
2. tar -zxf sphinx-2.0.4-release.tar.gz 
3. cd sphinx-2.0.4-release
4. mkdir /var/lib/mysql/plugins
5. cd /usr/local/src/
MySql server for my cPanel server is 5.1.65-cll.
  6. wget http://www.percona.com/redir/downloads/Percona-Server-5.1/Percona-Server-5.1.65-14.0/source/Percona-Server-5.1.65-rel14.0.tar.gz
7. tar -xvzf Percona-Server-5.1.65-rel14.0.tar.gz
8. cd Percona-Server-5.1.65-rel14.0
9. cp -Rf /usr/local/src/sphinx-2.0.4-release/mysqlse/ storage/sphinx
10. sh BUILD/autorun.sh
11. ./configure
12 make
13 cp -rf storage/sphinx/.libs/ha_sphinx.so* /var/lib/mysql/plugins/
14. vi /etc/my.cnf
and add
plugin_dir=/var/lib/mysql/plugins

15. restart your mysql server.
16.
mysql> show engines;
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| Engine | Support | Comment | Transactions | XA | Savepoints |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| InnoDB | YES | Supports transactions, row-level locking, and foreign keys | YES | YES | YES |
| MRG_MYISAM | YES | Collection of identical MyISAM tables | NO | NO | NO |
| BLACKHOLE | YES | /dev/null storage engine (anything you write to it disappears) | NO | NO | NO |
| CSV | YES | CSV storage engine | NO | NO | NO |
| MEMORY | YES | Hash based, stored in memory, useful for temporary tables | NO | NO | NO |
| FEDERATED | NO | Federated MySQL storage engine | NULL | NULL | NULL |
| ARCHIVE | YES | Archive storage engine | NO | NO | NO |
| MyISAM | DEFAULT | Default engine as of MySQL 3.23 with great performance | NO | NO | NO |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+

17. mysql> INSTALL PLUGIN sphinx SONAME 'ha_sphinx.so';
Query OK, 0 rows affected (0.06 sec)

18. mysql> show engines;
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| Engine | Support | Comment | Transactions | XA | Savepoints |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
|

| SPHINX | YES | Sphinx storage engine 2.0.4-release | NO | NO | NO |
|
Posted by at No comments:
Subscribe to: Posts (Atom)