Saturday, February 23, 2013

sshd rootkit exploit reported

Recently sshd rootkit exploited in cPanel , CentOs, CloudLinux , DirectAdmin, Plesk etc.

Once this happened hackers can steal passwords, ssh keys ,  /etc/shadow and they will get the server access and do spamming in your server.

For 64 bit servers

 /lib64/libkeyutils.so.1.9

For 32 bit servers

 /lib/libkeyutils.so.1.9

For non effected server it should be

[~]# ls -la /lib64/libkeyutils*
-rwxr-xr-x 1 root root 9472 Jan  6  2007 /lib64/libkeyutils-1.2.so*
lrwxrwxrwx 1 root root   18 Aug 24 11:26 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*

You can check your server is infected or not using the following command
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

Ajeesh.server10.net #                                                                                                                                                    
Cannot find compromised library

If your server is infected please execute the following command:
# wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash

Also you can check the integrity of this file using rpm commands , whether there is any patch over written with your existing libkey-utils package.

 root@server [/]# rpm -Vv keyutils-libs-1.2-1.el5
........    /lib/libkeyutils-1.2.so
........    /lib/libkeyutils.so.1
........    /usr/share/doc/keyutils-libs-1.2
........  d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL
........    /lib64/libkeyutils-1.2.so
........    /lib64/libkeyutils.so.1
........    /usr/share/doc/keyutils-libs-1.2
........  d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL

From the above output we can see that the package installed on our server is not modified with any patches.

If your output something like
S.5.....    /lib/libkeyutils.so.1

It is vulnerable and you need to update your server as fast as possible.

Saturday, February 9, 2013

'YUM', failed

!! The server's system package manager, 'YUM', failed. !!

!!
This is the command that failed: yum --exclude=kernel* -y install

Solution:

I have added kernel* in /etc/yum.conf file and done the following steps.

yum clean metadata
yum clean all

Thursday, February 7, 2013

Sphinx Open Source Search Server

Recently i have installed Sphinx search engine in my cPanel server.


]# yum install sphinx.x86_64
Which ended with the following error.
 
Error: Missing Dependency: libmysqlclient.so.15()(64bit) is needed by package sphinx-0.9.9-1.el5.rf.x86_64 (rpmforge)
Error: Missing Dependency: libmysqlclient.so.15(libmysqlclient_15)(64bit) is needed by package sphinx-0.9.9-1.el5.rf.x86_64 (rpmforge)

So i have gone for a manual installation.

1. /usr/local/src/]# wget http://sphinxsearch.com/files/sphinx-2.0.4-release.tar.gz
2. tar -zxf sphinx-2.0.4-release.tar.gz 
3. cd sphinx-2.0.4-release
4. mkdir /var/lib/mysql/plugins
5. cd /usr/local/src/
MySql server for my cPanel server is 5.1.65-cll.
  6. wget http://www.percona.com/redir/downloads/Percona-Server-5.1/Percona-Server-5.1.65-14.0/source/Percona-Server-5.1.65-rel14.0.tar.gz
7. tar -xvzf Percona-Server-5.1.65-rel14.0.tar.gz
8. cd Percona-Server-5.1.65-rel14.0
9. cp -Rf /usr/local/src/sphinx-2.0.4-release/mysqlse/ storage/sphinx
10. sh BUILD/autorun.sh
11. ./configure
12 make
13 cp -rf storage/sphinx/.libs/ha_sphinx.so* /var/lib/mysql/plugins/
14. vi /etc/my.cnf
and add
plugin_dir=/var/lib/mysql/plugins

15. restart your mysql server.
16.
mysql> show engines;
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| Engine | Support | Comment | Transactions | XA | Savepoints |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| InnoDB | YES | Supports transactions, row-level locking, and foreign keys | YES | YES | YES |
| MRG_MYISAM | YES | Collection of identical MyISAM tables | NO | NO | NO |
| BLACKHOLE | YES | /dev/null storage engine (anything you write to it disappears) | NO | NO | NO |
| CSV | YES | CSV storage engine | NO | NO | NO |
| MEMORY | YES | Hash based, stored in memory, useful for temporary tables | NO | NO | NO |
| FEDERATED | NO | Federated MySQL storage engine | NULL | NULL | NULL |
| ARCHIVE | YES | Archive storage engine | NO | NO | NO |
| MyISAM | DEFAULT | Default engine as of MySQL 3.23 with great performance | NO | NO | NO |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+

17. mysql> INSTALL PLUGIN sphinx SONAME 'ha_sphinx.so';
Query OK, 0 rows affected (0.06 sec)

18. mysql> show engines;
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| Engine | Support | Comment | Transactions | XA | Savepoints |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
|

| SPHINX | YES | Sphinx storage engine 2.0.4-release | NO | NO | NO |
|