Recently sshd rootkit exploited in cPanel , CentOs, CloudLinux , DirectAdmin, Plesk etc.
Once this happened hackers can steal passwords, ssh keys , /etc/shadow and they will get the server access and do spamming in your server.
For 64 bit servers
/lib64/libkeyutils.so.1.9
For 32 bit servers
/lib/libkeyutils.so.1.9
For non effected server it should be
[~]# ls -la /lib64/libkeyutils*
-rwxr-xr-x 1 root root 9472 Jan 6 2007 /lib64/libkeyutils-1.2.so*
lrwxrwxrwx 1 root root 18 Aug 24 11:26 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*
You can check your server is infected or not using the following command
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
Ajeesh.server10.net #
Cannot find compromised library
If your server is infected please execute the following command:
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash
Also you can check the integrity of this file using rpm commands , whether there is any patch over written with your existing libkey-utils package.
root@server [/]# rpm -Vv keyutils-libs-1.2-1.el5
........ /lib/libkeyutils-1.2.so
........ /lib/libkeyutils.so.1
........ /usr/share/doc/keyutils-libs-1.2
........ d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL
........ /lib64/libkeyutils-1.2.so
........ /lib64/libkeyutils.so.1
........ /usr/share/doc/keyutils-libs-1.2
........ d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL
From the above output we can see that the package installed on our server is not modified with any patches.
If your output something like
S.5..... /lib/libkeyutils.so.1
It is vulnerable and you need to update your server as fast as possible.
Once this happened hackers can steal passwords, ssh keys , /etc/shadow and they will get the server access and do spamming in your server.
For 64 bit servers
/lib64/libkeyutils.so.1.9
For 32 bit servers
/lib/libkeyutils.so.1.9
For non effected server it should be
[~]# ls -la /lib64/libkeyutils*
-rwxr-xr-x 1 root root 9472 Jan 6 2007 /lib64/libkeyutils-1.2.so*
lrwxrwxrwx 1 root root 18 Aug 24 11:26 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*
You can check your server is infected or not using the following command
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
Ajeesh.server10.net #
Cannot find compromised library
If your server is infected please execute the following command:
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash
Also you can check the integrity of this file using rpm commands , whether there is any patch over written with your existing libkey-utils package.
root@server [/]# rpm -Vv keyutils-libs-1.2-1.el5
........ /lib/libkeyutils-1.2.so
........ /lib/libkeyutils.so.1
........ /usr/share/doc/keyutils-libs-1.2
........ d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL
........ /lib64/libkeyutils-1.2.so
........ /lib64/libkeyutils.so.1
........ /usr/share/doc/keyutils-libs-1.2
........ d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL
From the above output we can see that the package installed on our server is not modified with any patches.
If your output something like
S.5..... /lib/libkeyutils.so.1
It is vulnerable and you need to update your server as fast as possible.