[BlueOnyx:12307] Re: SSHd Exploit (libkeyutils.so.1.9)

[Richard Morgan]

So is it confirmed that if we don't run cPanel we can turn SSH back on and 
start breathing again?

Thank you very much for your research and messages.

----- Original Message ----- 
From: "Michael Stauber" <mstauber at blueonyx.it>
To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
Sent: Monday, February 25, 2013 7:40 PM
Subject: [BlueOnyx:12297] Re: SSHd Exploit (libkeyutils.so.1.9)


> Hi all,
>
>
> Some updates about the SSHd Exploit (libkeyutils.so.1.9):
>
> The current thinking is that this is a cPanel problem. They have mailed
> their customer list saying that they've discovered a server in their
> support department which has been compromised and that anyone who has
> raised a ticket with them in the last 6 months and allowed cpanel
> personnel root access to their server is probably also compromised due
> to credential sniffing. The attackers install a file
> /lib{,64}/libkeyutils.so.1.9 and then change the
> /lib{,64}/libkeyutils.so.1 symlink to point to their replacement library
> instead of the correct version (libkeyutils.so.1.2 on CentOS 5,
> libkeyutils.so.1.3 on CentOS 6).
>
> If you have a cPanel server in your installation and have raised a
> ticket with them in the last year then it's worth checking all your
> servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9
> should not exist and if it does then the chances are that you have been
> compromised. Running `rpm -V keyutils-libs` should return no output
> (meaning that everything verifies OK).
>
> Source:
> https://www.centos.org/modules/newbb/viewtopic.php?topic_id=41606&forum=42
>
> -- 
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx