[Dimme]

Det verkar som att det har släppts en 0day sshd exploit. Många servrar har blivit hackade och det verkar vara väldigt allvarligt.

Det hade varit smart att stänga av sshd tillvidare om man har möjlighet att göra det, eller flytta det till någon annan port.

Citat:

Ursprungligen postat av http://forums.cpanel.net/f185/sshd-rootkit-323962.html

Attention:
------------------------------
It has recently come to light there is a security exploit that seems to be
affecting or targeting Cloud Linux and CentOS systems running cPanel.
This is a very new exploit which we have been investigating over the last
few days and working on a solution. We have been monitoring our managed
customers and implementing what we believe to fix the exploit.

You can find more information regarding this recently discovered exploit at
SSHD Rootkit Rolling around - Web Hosting Talk

Action required:
------------------------------
Our managed cPanel customers need not do anything unless contacted directly
by us. Self managed customers will need to do the following to detect the
file in question and correct the exploit:

1. SSH to server
2. Run 'updatedb'
3. Run 'locate libkeyutils.so.1.9'

Please follow the steps below to clear the expliot.

1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections

Feel free to open a trouble ticket if you have any questions.


Thank you for your business,
Hivelocity Support Team
/https://hivelocity.net/myvelocity/
888-869-HOST

Citat:

Ursprungligen postat av http://www.webhostingtalk.com/showthread.php?t=1235797

If /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9 exist on your server, it is very likely that your server has been compromised at the root level and is currently sending out spam. Removing this file may be a temporary fix, but since the attack vector is still unknown, that is not likely a permanent fix. At this point, if your server has been rooted, the only 100% way to clean your server is to wipe your drives and do a clean installation.

Possibilities being discussed in this thread include a 0-day exploit of SSHD itself, curl vulnerabilities or even a local vulnerability attacking users through software like Adobe Flash and gaining root access to their servers via their computers.

UPDATE (Feb 21): Several Linux anti-malware scanners such as AVG now detect the malicious libkeyutils files based on signature instead of just name.

UPDATE (Feb 20): Evidence is increasingly pointing towards a local vulnerability. The exploit filename also appears to be changing: libkeyutils-1.2.so.2 is popping up on CentOS 5.

Based on community input, it appears that both RHEL-based and Debian servers are affected. Servers with control panels such as cPanel, DirectAdmin, and Plesk are also affected. Servers with both standard and non-standard SSH ports are vulnerable and even servers that only accept key authentication have been compromised. If your server has been exploited, consider all passwords (including root) and private/public keys compromised.

Recommended Actions: Since we still do not know the attack vector, we can only provide guidelines for things you should probably do.
Keep your server software up-to-date
Disable root logins and/or firewall off your SSH port
Upgrade Flash and Java on your computers
Do malware scans on your computers
Keep checking this thread for updates! This thread summary will be constantly updated when we have new information.

WARNING: There are multiple scripts floating around the internet that promise to automatically clean up your server, but please be aware that they are not guaranteed to fix anything and have the potential to cause more problems. Run them at your own risk!
Contributors: Orien

[Dimme]

Det här verkar vara intressant.

Citat:

Ursprungligen postat av http://www.webhostingtalk.com/showpost.php?p=8567877&postcount=995

<nenolod> interesting
<nenolod> we found a rootkit on tortoiselabs office equipment
<nenolod> running windows 7
<nenolod> and our OVH creds were changed from that machine
<steven> oh noes the h4x
<nenolod> i wonder if it is related to SSHD thing
<steven> good question
<steven> get to work
<steven> :P
<nenolod> i have the binaries, i intend to look at them in a bit with idapro
<nenolod> btw
<nenolod> the rootkit
<nenolod> was sending keystrokes as DNS requests
<nenolod> to the same russian IP
<steven> which ip
<steven> what did you use to pickup the rootkit
<nenolod> the 78.x nameserver ip
<steven> gotcha
<nenolod> i used tcpdump while typing into the keyboard on the errant machine
<nenolod> i then disconnected it from the network :P
<nenolod> rabbit:/home/nenolod# apk audit --system
<nenolod> M /lib/libkeyutils.so.1 -> /lib/libkeyutils.so.1.9
<nenolod> ? /lib/libkeyutils.so.1.9
<nenolod> well, that's concerning
<nenolod> and, /tmp contains a copy of openssh source
<steven> even the great neno has been h4x
<nenolod> this is new
<nenolod> and it is a honeypot
<nenolod> it's supposed to be h4x
<nenolod> the concerning part is that they seem to build the rootkit on the machine
<nenolod> observation: why would sshd link against libkeyutils.so?
<nenolod> ran apk fix
<steven> kernel key management
<ramnet> nenolod, did you access your honeypot from the workstation that had the keylogger on it?
<nenolod> as a matter of fact, yes!
<ramnet> so, you've pretty much confirmed that's what the cause of the hack is then
<steven> nenolod would you be willing to pass me the windows rootkit?
<nenolod> steven, yeah as soon as i have a chance to get the machine network-accessible again

[Dimme]

Även ssh (klienten) smittas. Om man loggar in på en annan server från en smittad server då får man sina uppgifter skickade vidare till 72.156.139.154

Källa: http://www.webhostingtalk.com/showpo...postcount=1185

[coredev]

Detta rör alltså endast Cloud Linux och CentOS som kör cPanel?

[Dimme]

Nej, det har förekommit debian samt redhat installationer som också har blivit infekterade, med eller utan cpanel.

Cpanels support har dock också råkat infekteras. Och eftersom "trojanen" skickar ssh nycklar och lösenord till servrar som man loggar in på från en infekterad maskin, så är det en smart idé att kolla upp dessa servrar också.

Citat:

Ok.

We all have been so worried on the sshd aspect to this.
But we forgot to take a look at 'ssh'.. this little lonely binary used to initiate ssh connections with other servers.

Well...

You go and login to another server using an infected machine (which you may not know is infected).

Guess what happens, our well known friend here:

Quote:
5297 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.156.139.154")}, 16) = 0
shows up again, sending your other servers login details out.

So really all you need is 1 compromised server, to have multiple.. if you use your server to login to other servers.

They are in memory too.