[BlueOnyx:12354] Fw: Re: SSHd Exploit (libkeyutils.so.1.9)

Richard Morgan richard at morgan-web.co.uk
Sun Mar 3 08:22:56 -05 2013 

Following the exploit, I switched off SSH via the GUI, briefly enabling it 
for quick admin tasks.

Is it confirmed that it's safe to re-enable SSH now and leave it on, just as 
long as we have nothing to do with cPanel on the server?

Thanks

----- Original Message ----- 
From: "Richard Morgan" <richard at morgan-web.co.uk>
To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
Sent: Tuesday, February 26, 2013 11:25 AM
Subject: [BlueOnyx:12307] Re: SSHd Exploit (libkeyutils.so.1.9)


> So is it confirmed that if we don't run cPanel we can turn SSH back on and
> start breathing again?
>
> Thank you very much for your research and messages.
>
> ----- Original Message ----- 
> From: "Michael Stauber" <mstauber at blueonyx.it>
> To: "BlueOnyx General Mailing List" <blueonyx at mail.blueonyx.it>
> Sent: Monday, February 25, 2013 7:40 PM
> Subject: [BlueOnyx:12297] Re: SSHd Exploit (libkeyutils.so.1.9)
>
>
>> Hi all,
>>
>>
>> Some updates about the SSHd Exploit (libkeyutils.so.1.9):
>>
>> The current thinking is that this is a cPanel problem. They have mailed
>> their customer list saying that they've discovered a server in their
>> support department which has been compromised and that anyone who has
>> raised a ticket with them in the last 6 months and allowed cpanel
>> personnel root access to their server is probably also compromised due
>> to credential sniffing. The attackers install a file
>> /lib{,64}/libkeyutils.so.1.9 and then change the
>> /lib{,64}/libkeyutils.so.1 symlink to point to their replacement library
>> instead of the correct version (libkeyutils.so.1.2 on CentOS 5,
>> libkeyutils.so.1.3 on CentOS 6).
>>
>> If you have a cPanel server in your installation and have raised a
>> ticket with them in the last year then it's worth checking all your
>> servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9
>> should not exist and if it does then the chances are that you have been
>> compromised. Running `rpm -V keyutils-libs` should return no output
>> (meaning that everything verifies OK).
>>
>> Source:
>> https://www.centos.org/modules/newbb/viewtopic.php?topic_id=41606&forum=42
>>
>> -- 
>> With best regards
>>
>> Michael Stauber
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list