SSHD Rootkit

[susan]

Lagi ramai dibahas di WHT dan forum cpanel, ayo kita audit server masing2

If /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9 exist on your server, it is very likely that your server has been compromised. Removing this file appears to be a temporary fix, but since the attack vector is still unknown, that is not guaranteed to be a permanent fix.

Based on community input, it appears that RHEL-based servers are the only ones affected so far. Servers with control panels such as cPanel, DirectAdmin, and Plesk are also affected.

The latest CSF update checks for these files by default and alerts you if found.

link terkait:
* http://www.webhostingtalk.com/showthread.php?t=1235797
* http://forums.cpanel.net/f185/sshd-rootkit-323962.html

 

[twistedshells]

Sampai saat ini memang belum ketahuan bagaimana bisa backdoor ini ada. Tetapi baru 1 kesimpulan yaitu yang kena adalah distro Redhat/CentOS/CloudLinux baik 64 bit maupun 32bit. Sejak isu ini muncul 3 hari lalu, saya coba audit server main shared hosting kami (CloudLinux) dan server murni CentOS, tidak ditemukan.

Kalau saya pribadi kemungkinan ini adalah escalate privileges dari local exploit.

 

[BennyKusman]

Apa cara deteksi dengan execute command ini aja ?

locate libkeyutils.so.1.9

 

[idcolo]

sepertinya memang sangat menarik, boleh tau exploitnya apa?

 

[susan]

Apa cara deteksi dengan execute command ini aja ?

locate libkeyutils.so.1.9

Cara deteksi gini katanya:

root@server [~]# ps aux | grep ssh
root 1667 0.0 0.0 61192 752 pts/0 S+ 19:29 0:00 grep ssh
root 7722 0.0 0.0 92244 3416 ? Ss 15:58 0:00 sshd: root@pts/0
root 21883 0.0 0.0 63584 1212 ? Ss Jan17 0:00 /usr/sbin/sshd


root@server [~]# rpm -qf `lsof -p 7722| grep lib | awk '{print $9}'`
glibc-2.12-1.80.el6_3.7.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nspr-4.9.2-0.el6_3.1.x86_64
nss-util-3.13.6-1.el6_3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
file /lib64/libkeyutils.so.1.9 is not owned by any package
krb5-libs-1.9-33.el6_3.3.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
nss-3.13.5-1.el6_3.x86_64
libcom_err-1.41.12-12.el6.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
zlib-1.2.3-27.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
openssl-1.0.0-25.el6_3.1.x86_64
libselinux-2.0.94-5.3.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64
pam-1.1.1-10.el6_2.1.x86_64
audit-libs-2.2-2.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
glibc-2.12-1.80.el6_3.7.x86_64

root@server [~]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package

 

[mustafaramadhan]

Sampai saat ini memang belum ketahuan bagaimana bisa backdoor ini ada. Tetapi baru 1 kesimpulan yaitu yang kena adalah distro Redhat/CentOS/CloudLinux baik 64 bit maupun 32bit. Sejak isu ini muncul 3 hari lalu, saya coba audit server main shared hosting kami (CloudLinux) dan server murni CentOS, tidak ditemukan.

Kalau saya pribadi kemungkinan ini adalah escalate privileges dari local exploit.

Mungkin benar. Tapi 'masuk' dari mana?.

Karena pakai CPanel, jelas CPanel terjadi 'tertuduh' dalam masalah ini.

 

[mentariweb]

Mungkin benar. Tapi 'masuk' dari mana?.

Karena pakai CPanel, jelas CPanel terjadi 'tertuduh' dalam masalah ini.

ngga cuman cpanel boz... baca lagi tuh ==>

Based on community input, it appears that RHEL-based servers are the only ones affected so far. Servers with control panels such as cPanel, DirectAdmin, and Plesk are also affected.

 

[mustafaramadhan]

ngga cuman cpanel boz... baca lagi tuh ==>

Ya benar. Dalam diskusi itu yang sedang 'disidang' kan si CPanel.

Syukur Kloxo-MR tidak masuk 'daftar'. Semoga tidak pernah menjadi 'barang menarik' bagi hacker.

 

[GriyaHosting]

CloudLinux : http://www.cloudlinux.com/blog/clnews/sshd-exploit.php

Many of you are aware of SSHD exploit going around hosting comunity. It seems to affect servers running CloudLinux, CentOS & cPanel.

There are also reports of DirectAdmin, Plesk & non-RHEL based distributions being affected.
Detailed discussion can be found here: http://www.webhostingtalk.com/showthread.php?t=1235797

We believe the exploit is done via SSH server.

So far we know:

• Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
• It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.

We believe this library is:

• stealing passwords, ssh keys & /etc/shadow from the system
• used as a backdoor to access server at any time
• send spam

We have seen the change in the payload over time. Hacker has full root access, and can do absolutely anything with the server.
We have noticed that once cleaned up, servers often get re-infected.

You can see if your server is infected by running:
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN'T FULLY TESTED
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash

and reboot the server.

To protect against being re-infected again we recommend completely firewalling SSH from internet, allowing access only from your IP. Change your passwords for SSH, WHM and any other admin passwords you are using on that server.

 

[GriyaHosting]

Ya benar. Dalam diskusi itu yang sedang 'disidang' kan si CPanel.

Syukur Kloxo-MR tidak masuk 'daftar'. Semoga tidak pernah menjadi 'barang menarik' bagi hacker.

Servers with control panels such as cPanel, DirectAdmin, and Plesk are also affected.

Kata "TERPENGARUH" kok bisa seolah menjadi targetnya ?


Semoga tidak pernah menjadi 'barang menarik' bagi hacker. ... hmm mungkin belom kenal atau ndak tau kali bos apa itu Kloxo MR