Advice and answers from the Hostrare TeamKnowledge base

Troubleshoot - by Hostrare

Update On: 23 Jul 2021SSHD rootKit exploit libkeyutils.so

It has newly come to light there is a security employ that seems to be moving or targeting Cloud Linux and CentOS orders running cPanel. We believe the achievement is done via an SSH server.
SSHD rootKit exploit libkeyutils.so

So far cloudlinux know:
Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
We believe this library is:
Hacker has complete root access and can do anything with the server. keeping passwords, ssh keys & /etc/darkness from the method used as a backdoor to access the server at any time post spam.

Solution: 1

Run the next shell script to detect if your server is infected.

#vi check.sh

#!/bin/bashLIB64=/lib64/libkeyutils.so.1.9LIB64_1=/lib64/libkeyutils-1.2.so.2LIB32=/lib/libkeyutils.so.1.9LIB32_1=/lib/libkeyutils-1.2.so.2if [ -f $LIB64 ]; thenecho The server is compromised, $LIB64 foundexit 0fiif [ -f $LIB64_1 ]; thenecho The server is compromised, $LIB64_1 foundexit 0fiif [ -f $LIB32 ]; thenecho The server is compromised, $LIB32 foundexit 0fiif [ -f $LIB32_1 ]; thenecho The server is compromised, $LIB32_1 foundexit 0fiecho "Cannot find compromised library"exit 1

#chmod 755 check.sh

#sh check.sh

Use the following script to To clean up libkeyutils library.

USE IT AT YOUR OWN RISK, THE SCRIPT WASN’T FULLY TESTED

#vi clean

#!/bin/bashLIB64_13=/lib64/libkeyutils.so.1.3LIB64_12=/lib64/libkeyutils-1.2.soLIB64_1=/lib64/libkeyutils.so.1LIB32_13=/lib/libkeyutils.so.1.3LIB32_12=/lib/libkeyutils-1.2.soLIB32_1=/lib/libkeyutils.so.1LIB32=""LIB64=""LIB64_h1=/lib64/libkeyutils.so.1.9LIB32_h1=/lib/libkeyutils.so.1.9LIB64_h2=/lib64/libkeyutils-1.2.so.2LIB32_h2=/lib/libkeyutils-1.2.so.2LINK=""BAD_LIB=""if [ -f $LIB64_h1 ]; thenBAD_LIB=$LIB64_h1LIB64="HACK"fiif [ -f $LIB64_h2 ]; thenBAD_LIB=$LIB64_h2LIB64="HACK"fiif [ -f $LIB32_h1 ]; thenBAD_LIB=$LIB32_h1LIB64=""LIB32="HACK"fiif [ -f $LIB32_h2 ]; thenBAD_LIB=$LIB32_h2LIB64=""LIB32="HACK"fi#echo $BAD_LIB, 64, $LIB64, 32, $LIB32if [ "x$LIB64" == "xHACK" ]; thenLINK=$LIB64_1if [ -f $LIB64_12 ]; thenFIX_LIB=$LIB64_12elif [ -f $LIB64_13 ]; thenFIX_LIB=$LIB64_13elseecho "Cannot find good libary, giving up"exit 1fifiif [ "x$LIB32" == "xHACK" ]; thenLINK=$LIB32_1if [ -f $LIB32_12 ]; thenFIX_LIB=$LIB32_12elif [ -f $LIB32_13 ]; thenFIX_LIB=$LIB32_13elseecho "Cannot find good libary, giving up"exit 1fifiif [ ! -z "$FIX_LIB" ]; then#  echo $LINK, $FIX_LIB $BAD_LIBrm -f $LINKln -s $FIX_LIB $LINKrm -f $BAD_LIBecho "Clean up is done, please reboot the server ASAP"elseecho "Cannot find compromised library"fi

#chmod 755 clean.sh

#sh clean.sh

Reboot your server.

To protect from these malware

Install CSF/APF firewall and secure your SSH.
Convert all of your root identifications and key pairs from a clean computer.
Keep your server software up-to-date.
Damage root logins and/or firewall off your SSH gate.
Upgrade Flash and Java on your networks.
Do malware scans on your networks.

Solution: 2

1. SSH to server
2. Run ‘updatedb’
3. Run ‘locate libkeyutils.so.1.9’

Please follow the steps below to clear the expliot.

1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections

For more information, please check with cloud linux blog
https://www.cloudlinux.com/support