sshd rootkit / exploit

AnthonySmith · February 2013

Hi Folks,

I was alerted to this by the nice folks at http://racksrv.com (Thanks Jon/Lee)

Just putting some info out there for those who has not spotted the topic else where as yet.

Further info:
http://status.racksrv.com/2013/02/19/new-sshd-rootkit
http://forums.cpanel.net/f185/sshd-rootkit-323962.html
http://www.webhostingtalk.com/showthread.php?t=1235797

Seems info has been floating around for 4 days now although I am only just now reading through everything.

Anyone that is already aware of this please feel free to add some additional info/summery.

From what I am reading in th elast few minutes it is an issue with libkeyutils.so.1.9 (32 and 64bit) which allows spam to be sent via the server, seems to mainly affect cPanel on CENT/CloudLinux and possibly other LAMP stacks.

If you have some users that have started spamming and are unaware of how this has happened you may want to have them run the script included in the first link provided by Lee at racksrv.com

Ant.

MiguelQ · February 2013

All Debian here, so should be safe. Good luck to everyone running RHEL, hope it ends up well

Infinity · February 2013

wget http://status.racksrv.com/ssh_rootchk.sh && sh ssh_rootchk.sh && rm -f ssh_rootchk.sh

For those that are lazy, like me.

Thanks for notifying us Ant.

BradND · February 2013

Just seen the lib on a debian hostnode... anyone else see it on debian?

MiguelQ · February 2013

@BradND said: Just seen the lib on a debian hostnode... anyone else see it on debian?

root@h98s:~# ls /lib64/libkeyutils.so.1*
/lib64/libkeyutils.so.1  /lib64/libkeyutils.so.1.3

Description: Linux Key Management Utilities (library)

Keyutils is a set of utilities for managing the key retention facility in the
kernel, which can be used by filesystems, block devices and more to gain and
retain the authorization and encryption keys required to perform secure
operations.
.
This package provides a wrapper library for the key management facility system
calls.

AnthonySmith · February 2013

I have just been assured that this does not affect debian on #lowendbox irc/freenode.

The rational behind it not affecting debian is: "centos sucks"

BradND · February 2013

@MiguelQ what about libkeyutils.so.1.9?

Maounique · February 2013

@AnthonySmith said: The rational behind it not affecting debian is: "centos sucks"

Cool :P
I only agree with the 6.x part.

Damian · February 2013

@AnthonySmith said: The rational behind it not affecting debian is: "centos sucks"

Anyway, http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/ has some good text about it too.

MiguelQ · February 2013

@BradND said: what about libkeyutils.so.1.9?

Not at squeeze. The one at wheezy is named libkeyutils.so.1.4

Why? Do you have it?

BradND · February 2013

This box is running squeeze & Xen 4.0 w/ a few VM's

root@vhost01 /lib # locate libkey
/lib/libkeyutils.so.1
/lib/libkeyutils.so.1.3
/lib/libkeyutils.so.1.9

Cpanel VM on it also has
root@webserver [~]# locate libkey
/home/virtfs/raindrop/lib/libkeyutils.so.1
/home/virtfs/raindrop/lib/libkeyutils.so.1.3
/home/virtfs/raindrop/lib/libkeyutils.so.1.9
/lib/libkeyutils.so.1
/lib/libkeyutils.so.1.3
/lib/libkeyutils.so.1.9

So far neither the HN or the vm are sending and traffic out..

MiguelQ · February 2013

@BradND said: This box is running squeeze & Xen 4.0 w/ a few VM's

Interesting, what does /lib/libkeyutils.so.1 points to?

Also, do this

lsof /lib/libkeyutils.so.1.9

BradND · February 2013

lrwxrwxrwx 1 root root 18 Nov 16 22:05 libkeyutils.so.1 -> libkeyutils.so.1.9

MiguelQ · February 2013

@BradND said: lrwxrwxrwx 1 root root 18 Nov 16 22:05 libkeyutils.so.1 -> libkeyutils.so.1.9

*****... Game Over?

BradND · February 2013

COMMAND     PID     USER  FD   TYPE DEVICE SIZE/OFF    NODE NAME
sshd       2637     root mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
named     16032     bind mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   19164 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   21628 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   21629 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
gnome-pan 23513     root mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
evolution 23529     root mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   25176 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   25177 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   26025     root mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   26558 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   26560 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   26564 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   26566 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9
apache2   28205 www-data mem    REG  253,0    27928 1052300 /lib/libkeyutils.so.1.9

apollo15 · February 2013

hm is that supposed to be a local or remote exploit?

DStrout · February 2013

I run Ubuntu Server so no problems, though I have been eyeing a cPanel server, so that could be problematic. Any fix known as yet?

MiguelQ · February 2013

@BradND it should be linking to libkeyutils.so.1.3 on stock squeeze.

On my box that lib is currently opened by named, sshd and kvm. I suggest you take a good look at what processes have it open and begin halting them.

MiguelQ · February 2013

Halt, remove, link the original one back and start looking for traces of how it got into the first place

MiguelQ · February 2013

Here's the MD5 of the original so you can compare...

root@host:~# md5sum /lib/libkeyutils.so.1.3
6affec20aec2654d8906573e2495f289  /lib/libkeyutils.so.1.3

MiguelQ · February 2013

@apollo15 said: hm is that supposed to be a local or remote exploit?

As far as I know, the lib is a

wrapper for the key management facility system calls

As you can see from above, it is used by processes which allow remote auth, such as sshd. A modified version of that lib could well be allowing remote access via sshd to unauthorized parties to the host affected on the worst case. Best case it is being used to send SPAM (as it has been reported) triggered by the auth handshake (my guess).

Would love to have a copy of said lib to do forensics on it. @BrianND could you mail it to me?

BradND · February 2013

root@vhost01 /lib # md5sum libkeyutils.so.1.3
6affec20aec2654d8906573e2495f289  libkeyutils.so.1.3

Md5 looks alright, but..

Sigh... time to do a little digging i guess

jar · February 2013

This is why the cpanel forum is a good place to frequent even if you don't use it. Often one of the first targets of RHEL based exploits.

BradND · February 2013

@MiguelQ Sure, pm me your email

MiguelQ · February 2013

@BradND is that 32 or 64 bit you have running?

BradND · February 2013

root@vhost01 /var/www # uname -ar
Linux vhost01.redacted.com 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux

TheHackBox · February 2013

@BradND

wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

BradND · February 2013

The bash script is extremely simple but...

root@vhost01 /var/www # wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
The server is compromised, /lib64/libkeyutils.so.1.9 found

TheHackBox · February 2013

@BradND said: The server is compromised, /lib64/libkeyutils.so.1.9 found

Not sure that's a good sign...

MiguelQ · February 2013

@BradND Watch outgoing connections to tcp_78.47.139.110:53 It tries that after successful ssh login. Probably getting instructions

BradND · February 2013

78.47.139.110 is in libkeyutils.so.1.9 so yeah... most definite.

Howdy, Stranger!

Categories

In this Discussion

sshd rootkit / exploit

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion

sshd rootkit / exploit

Comments