Blog

This blog post is outdated. Don't use it to figure out if your machine is infected. It checks only for limited set of filenames, while many other filenames are being used right now for same infection

Many of you are aware of SSHD exploit going around hosting comunity. It seems to affect servers running CloudLinux, CentOS & cPanel.

There are also reports of DirectAdmin, Plesk & non-RHEL based distributions being affected.
Detailed discussion can be found here: http://www.webhostingtalk.com/showthread.php?t=1235797

We believe the exploit is done via SSH server.

So far we know:

• Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
• It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
  

We believe this library is:

• stealing passwords, ssh keys & /etc/shadow from the system
• used as a backdoor to access server at any time
• send spam
  

We have seen the change in the payload over time. Hacker has full root access, and can do absolutely anything with the server.
We have noticed that once cleaned up, servers often get re-infected.

You can see if your server is infected by running:
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN'T FULLY TESTED
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash

and reboot the server.

To protect against being re-infected again we recommend completely firewalling SSH from internet, allowing access only from your IP. Change your passwords for SSH, WHM and any other admin passwords you are using on that server.