[BlueOnyx:12297] Re: SSHd Exploit (libkeyutils.so.1.9)
Michael Stauber
mstauber at blueonyx.it
Mon Feb 25 14:40:29 -05 2013
Hi all,
Some updates about the SSHd Exploit (libkeyutils.so.1.9):
The current thinking is that this is a cPanel problem. They have mailed
their customer list saying that they've discovered a server in their
support department which has been compromised and that anyone who has
raised a ticket with them in the last 6 months and allowed cpanel
personnel root access to their server is probably also compromised due
to credential sniffing. The attackers install a file
/lib{,64}/libkeyutils.so.1.9 and then change the
/lib{,64}/libkeyutils.so.1 symlink to point to their replacement library
instead of the correct version (libkeyutils.so.1.2 on CentOS 5,
libkeyutils.so.1.3 on CentOS 6).
If you have a cPanel server in your installation and have raised a
ticket with them in the last year then it's worth checking all your
servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9
should not exist and if it does then the chances are that you have been
compromised. Running `rpm -V keyutils-libs` should return no output
(meaning that everything verifies OK).
Source:
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=41606&forum=42
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list