SSHD rootKit exploit libkeyutils.so

It has newly come to light there is a safety utilize that appears to be moving or targeting Cloud Linux and CentOS operations running cPanel. We understand the venture is done via an SSH server.

SSHD rootKit exploit libkeyutils.so

sshd rootkit

So far cloudlinux know:

Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.

We follow this library is:
Hacker has full root admittance and can do anything with the server. keeping keys, ssh keys & /etc/shadow from the method used as a backdoor to access the server at any time send spam.

Solution: 1

Run the following shell script to find if your server infected.

#vi check.sh

#!/bin/bash

LIB64=/lib64/libkeyutils.so.1.9
LIB64_1=/lib64/libkeyutils-1.2.so.2
LIB32=/lib/libkeyutils.so.1.9
LIB32_1=/lib/libkeyutils-1.2.so.2

if [ -f $LIB64 ]; then
echo The server is compromised, $LIB64 found
exit 0
fi

if [ -f $LIB64_1 ]; then
echo The server is compromised, $LIB64_1 found
exit 0
fi

if [ -f $LIB32 ]; then
echo The server is compromised, $LIB32 found
exit 0
fi

if [ -f $LIB32_1 ]; then
echo The server is compromised, $LIB32_1 found
exit 0
fi

echo "Cannot find compromised library"
exit 1

#chmod 755 check.sh

#sh check.sh

Use the following script to To clean up libkeyutils library.

USE IT AT YOUR OWN RISK, THE SCRIPT WASN’T FULLY TESTED

#vi clean

#!/bin/bash

LIB64_13=/lib64/libkeyutils.so.1.3
LIB64_12=/lib64/libkeyutils-1.2.so
LIB64_1=/lib64/libkeyutils.so.1
LIB32_13=/lib/libkeyutils.so.1.3
LIB32_12=/lib/libkeyutils-1.2.so
LIB32_1=/lib/libkeyutils.so.1
LIB32=""
LIB64=""

LIB64_h1=/lib64/libkeyutils.so.1.9
LIB32_h1=/lib/libkeyutils.so.1.9
LIB64_h2=/lib64/libkeyutils-1.2.so.2
LIB32_h2=/lib/libkeyutils-1.2.so.2

LINK=""
BAD_LIB=""

if [ -f $LIB64_h1 ]; then
BAD_LIB=$LIB64_h1
LIB64="HACK"
fi

if [ -f $LIB64_h2 ]; then
BAD_LIB=$LIB64_h2
LIB64="HACK"
fi

if [ -f $LIB32_h1 ]; then
BAD_LIB=$LIB32_h1
LIB64=""
LIB32="HACK"
fi

if [ -f $LIB32_h2 ]; then
BAD_LIB=$LIB32_h2
LIB64=""
LIB32="HACK"
fi

#echo $BAD_LIB, 64, $LIB64, 32, $LIB32
if [ "x$LIB64" == "xHACK" ]; then
LINK=$LIB64_1
if [ -f $LIB64_12 ]; then
FIX_LIB=$LIB64_12
elif [ -f $LIB64_13 ]; then
FIX_LIB=$LIB64_13
else
echo "Cannot find good libary, giving up"
exit 1
fi
fi

if [ "x$LIB32" == "xHACK" ]; then
LINK=$LIB32_1
if [ -f $LIB32_12 ]; then
FIX_LIB=$LIB32_12
elif [ -f $LIB32_13 ]; then
FIX_LIB=$LIB32_13
else
echo "Cannot find good libary, giving up"
exit 1
fi
fi

if [ ! -z "$FIX_LIB" ]; then
#  echo $LINK, $FIX_LIB $BAD_LIB
rm -f $LINK
ln -s $FIX_LIB $LINK
rm -f $BAD_LIB
echo "Clean up is done, please reboot the server ASAP"
else
echo "Cannot find compromised library"
fi

#chmod 755 clean.sh

#sh clean.sh

Reboot your server.

To protect from these malware

Install CSF/APF firewall and adjust your SSH.
Replace all of your root keys and key pairs from a clean processor.
Keep your server software up-to-date.
Damage root logins and/or firewall off your SSH port.
Upgrade Flash and Java on your networks.
Do malware scans on your networks.

Solution: 2

1. SSH to server
2. Run ‘updatedb’
3. Run ‘locate libkeyutils.so.1.9’

Please follow the steps below to clear the expliot.

1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections

For more information, please check with cloud linux blog

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Stats and Monitoring Process tool

Mysqlmymonlite Stats and Monitoring process free tool, Bash shell script tool used to gather...

cPanel Game Server Installation

cPGS is a software module that allows you to set up and run a game server. You are even able to...

Attracta SEO Tools Installation

Attracta SEO tool will verify that your website has not been flagged by Google as containing...

Server load alerts shell script

Simple Server load alerts shell script to monitor your server load average, Free Memory and Swap...

Powered by WHMCompleteSolution