Update On: 23 Jul 2021SSHD rootKit exploit libkeyutils.so
It has recently come to light there is a safety exploit that looks to be moving or targeting Cloud Linux and CentOS systems going cPanel. We understand the venture is done via an SSH server.
SSHD rootKit exploit libkeyutils.so
So far cloudlinux know:
Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
We believe this library is:
A hacker becomes full root access and can do completely anything with the server. keeping passwords, ssh keys & /etc/shadow from the system used as a backdoor to access the server at any time send spam.
Solution: 1
Run the following shell script to find if your server infected.
#vi check.sh
#!/bin/bashLIB64=/lib64/libkeyutils.so.1.9LIB64_1=/lib64/libkeyutils-1.2.so.2LIB32=/lib/libkeyutils.so.1.9LIB32_1=/lib/libkeyutils-1.2.so.2if [ -f $LIB64 ]; thenecho The server is compromised, $LIB64 foundexit 0fiif [ -f $LIB64_1 ]; thenecho The server is compromised, $LIB64_1 foundexit 0fiif [ -f $LIB32 ]; thenecho The server is compromised, $LIB32 foundexit 0fiif [ -f $LIB32_1 ]; thenecho The server is compromised, $LIB32_1 foundexit 0fiecho "Cannot find compromised library"exit 1
#chmod 755 check.sh
#sh check.sh
Use the following script to To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN’T FULLY TESTED
#vi clean
#!/bin/bashLIB64_13=/lib64/libkeyutils.so.1.3LIB64_12=/lib64/libkeyutils-1.2.soLIB64_1=/lib64/libkeyutils.so.1LIB32_13=/lib/libkeyutils.so.1.3LIB32_12=/lib/libkeyutils-1.2.soLIB32_1=/lib/libkeyutils.so.1LIB32=""LIB64=""LIB64_h1=/lib64/libkeyutils.so.1.9LIB32_h1=/lib/libkeyutils.so.1.9LIB64_h2=/lib64/libkeyutils-1.2.so.2LIB32_h2=/lib/libkeyutils-1.2.so.2LINK=""BAD_LIB=""if [ -f $LIB64_h1 ]; thenBAD_LIB=$LIB64_h1LIB64="HACK"fiif [ -f $LIB64_h2 ]; thenBAD_LIB=$LIB64_h2LIB64="HACK"fiif [ -f $LIB32_h1 ]; thenBAD_LIB=$LIB32_h1LIB64=""LIB32="HACK"fiif [ -f $LIB32_h2 ]; thenBAD_LIB=$LIB32_h2LIB64=""LIB32="HACK"fi#echo $BAD_LIB, 64, $LIB64, 32, $LIB32if [ "x$LIB64" == "xHACK" ]; thenLINK=$LIB64_1if [ -f $LIB64_12 ]; thenFIX_LIB=$LIB64_12elif [ -f $LIB64_13 ]; thenFIX_LIB=$LIB64_13elseecho "Cannot find good libary, giving up"exit 1fifiif [ "x$LIB32" == "xHACK" ]; thenLINK=$LIB32_1if [ -f $LIB32_12 ]; thenFIX_LIB=$LIB32_12elif [ -f $LIB32_13 ]; thenFIX_LIB=$LIB32_13elseecho "Cannot find good libary, giving up"exit 1fifiif [ ! -z "$FIX_LIB" ]; then# echo $LINK, $FIX_LIB $BAD_LIBrm -f $LINKln -s $FIX_LIB $LINKrm -f $BAD_LIBecho "Clean up is done, please reboot the server ASAP"elseecho "Cannot find compromised library"fi
#chmod 755 clean.sh
#sh clean.sh
Reboot your server.
To protect from these malware
Install CSF/APF firewall and secure your SSH.
Change all of your root passwords and key pairs from a clean computer.
Keep your server software up-to-date.
Disable root logins and/or firewall off your SSH port.
Upgrade Flash and Java on your computers.
Do malware scans on your computers.
Solution: 2
1. SSH to server
2. Run ‘updatedb’
3. Run ‘locate libkeyutils.so.1.9’
Please follow the steps below to clear the expliot.
1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections
For more information, please check with cloud linux blog
https://www.cloudlinux.com/support
Similar Knowledgebase
Need some immediate
help ?
our suuport team here for you 24/7
+8801977507015support@hostrare.comsend a leter
Bangladesh