Blog

Login Register

SSHD Rootkit

This blog post is outdated. Don't use it to figure out if your machine is infected. It checks only for limited set of filenames, while many other filenames are being used right now for same infection

Many of you are aware of SSHD exploit going around hosting comunity. It seems to affect servers running CloudLinux, CentOS & cPanel.

There are also reports of DirectAdmin, Plesk & non-RHEL based distributions being affected.
Detailed discussion can be found here: http://www.webhostingtalk.com/showthread.php?t=1235797

We believe the exploit is done via SSH server.

So far we know:
  • Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
  • It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
We believe this library is:
  • stealing passwords, ssh keys & /etc/shadow from the system
  • used as a backdoor to access server at any time
  • send spam
We have seen the change in the payload over time. Hacker has full root access, and can do absolutely anything with the server.
We have noticed that once cleaned up, servers often get re-infected.

You can see if your server is infected by running:
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN'T FULLY TESTED
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash

and reboot the server.

To protect against being re-infected again we recommend completely firewalling SSH from internet, allowing access only from your IP. Change your passwords for SSH, WHM and any other admin passwords you are using on that server.

0
Oezdemir Zekeria
02/21/2013 09:52:33
news
any news about this?
Link 0
0
Christos Panagiotakis
02/21/2013 17:05:50
Any news on that? Any update at all?
What caused it, how, how to be protect (except the firewall option), or how to permanent fix/clean it?

I saw WHT forums and cPanel forums are on fire...

Can't even follow them



And with comments like that:

Well doesn't it figure....
I install a fresh copy of CentOS 6.3 with cPanel current and in less than 2 hours.... BAM
I am a bit worried...
Link 0
0
John Slane
02/22/2013 09:19:18
It's caused by a workstation being infected first and the malware then steals the login details for the servers. As long as you ensure your workstation is protected and all software is up to date (Java and Flash in particular) then you shouldn't have to worry. If you share your server login details with third partys for support, then you should always change the details when they've completed any work.
Parent Link 0
0
Igor Seletskiy
02/22/2013 09:21:42
At this moment we believe that is the case. We are still waiting on confirmation from security research organization on trojans that we were able to get from infected desktop to see if similar form of communication/sending info (as well as IPs) are used between trojans and libkeyutils.


We will update everyone as we have more info.
Link 0
0
Jason Smit
02/23/2013 06:40:05
RHL pach publiced
The RedHat Publiced this Bug PACH for RHL Linux in 21 feb :
https://rhn.redhat.com/errata/RHSA-2013-0519.html
Link 0
0
Igor Seletskiy
02/24/2013 21:41:56
We believe it is unrelated to exploit, as the bug is not exploitable in default as well as cPanel configuration.
Link 0
0
Jason Smit
02/28/2013 04:12:40
patch ?
Have you ever made ​​a patch for this bug ? :?:
Link 0
0
Igor Seletskiy
02/28/2013 08:42:38
The updated openssh package was in our repositories on Feb 21st, same day advisory went out.
Yet, the patch & vulnerability has no relationship to this SSH Rootkit.
Parent Link 0
0
Jason Smit
03/05/2013 05:40:35
I have installed new Cloulinux os in my server, If we do update the server to the your new openssh packages, The virus can infect it again or ... ?
Parent Link 0
0
Igor Seletskiy
03/05/2013 07:05:19
The hack is being done via stolen passwords. The version of openssh package is irrelevant.
Link 0
0
Richard Hordern
03/07/2013 05:16:56
Hello Igor, is this sure or just a conclusion because noone could find how they got in ?

Are you still seeing new servers being hacked or is this concidered over ?
Link 0
0
Igor Seletskiy
03/07/2013 06:54:34
It is a conclusion because keyloggers on machines from which servers were accessed were found, and cPanel came out with disclosure that their support server was penetrated, and because what we observed was hackers getting in directly through ssh.
Link 0