[Dimme]

Det verkar som att det har släppts en 0day sshd exploit. Många servrar har blivit hackade och det verkar vara väldigt allvarligt.

Det hade varit smart att stänga av sshd tillvidare om man har möjlighet att göra det, eller flytta det till någon annan port.

Citat:

Ursprungligen postat av http://forums.cpanel.net/f185/sshd-rootkit-323962.html

Attention:
------------------------------
It has recently come to light there is a security exploit that seems to be
affecting or targeting Cloud Linux and CentOS systems running cPanel.
This is a very new exploit which we have been investigating over the last
few days and working on a solution. We have been monitoring our managed
customers and implementing what we believe to fix the exploit.

You can find more information regarding this recently discovered exploit at
SSHD Rootkit Rolling around - Web Hosting Talk

Action required:
------------------------------
Our managed cPanel customers need not do anything unless contacted directly
by us. Self managed customers will need to do the following to detect the
file in question and correct the exploit:

1. SSH to server
2. Run 'updatedb'
3. Run 'locate libkeyutils.so.1.9'

Please follow the steps below to clear the expliot.

1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections

Feel free to open a trouble ticket if you have any questions.


Thank you for your business,
Hivelocity Support Team
/https://hivelocity.net/myvelocity/
888-869-HOST

Citat:

Ursprungligen postat av http://www.webhostingtalk.com/showthread.php?t=1235797

If /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9 exist on your server, it is very likely that your server has been compromised at the root level and is currently sending out spam. Removing this file may be a temporary fix, but since the attack vector is still unknown, that is not likely a permanent fix. At this point, if your server has been rooted, the only 100% way to clean your server is to wipe your drives and do a clean installation.

Possibilities being discussed in this thread include a 0-day exploit of SSHD itself, curl vulnerabilities or even a local vulnerability attacking users through software like Adobe Flash and gaining root access to their servers via their computers.

UPDATE (Feb 21): Several Linux anti-malware scanners such as AVG now detect the malicious libkeyutils files based on signature instead of just name.

UPDATE (Feb 20): Evidence is increasingly pointing towards a local vulnerability. The exploit filename also appears to be changing: libkeyutils-1.2.so.2 is popping up on CentOS 5.

Based on community input, it appears that both RHEL-based and Debian servers are affected. Servers with control panels such as cPanel, DirectAdmin, and Plesk are also affected. Servers with both standard and non-standard SSH ports are vulnerable and even servers that only accept key authentication have been compromised. If your server has been exploited, consider all passwords (including root) and private/public keys compromised.

Recommended Actions: Since we still do not know the attack vector, we can only provide guidelines for things you should probably do.
Keep your server software up-to-date
Disable root logins and/or firewall off your SSH port
Upgrade Flash and Java on your computers
Do malware scans on your computers
Keep checking this thread for updates! This thread summary will be constantly updated when we have new information.

WARNING: There are multiple scripts floating around the internet that promise to automatically clean up your server, but please be aware that they are not guaranteed to fix anything and have the potential to cause more problems. Run them at your own risk!
Contributors: Orien