New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
FWIW this is a customers box... all our nodes appear to be fine but i suggest everyone drop 78.47.139.110 ASAP
Another one:
Always after successful ssh login
Some interesting reading on the topic:
forums.cpanel.net/f185/sshd-rootkit-323962.html
If you have a machine that has the file, in the meantime until the attack vector is found :
rm -rf /lib/libkeyutils.so.1.9
rm -rf /lib64/libkeyutils.so.1.9
yum clean all
yum -y reinstall keyutils-libs
touch /lib/libkeyutils.so.1.9
touch /lib64/libkeyutils.so.1.9
chmod 000 /lib/libkeyutils.so.1.9
chmod 000 /lib64/libkeyutils.so.1.9
chattr +i /lib/libkeyutils.so.1.9
chattr +i /lib64/libkeyutils.so.1.9
ldconfig
I'd then update the machine.
ldconfig at the end fixes any symbolic links.
Posted originally by me yesterday on cPanel and Reddit, will keep it from re-infecting for the time being.
This is a Debian infection we are seeing here :S
I can't see this affecting any VPS provider's hostnode's. Only shared hosting servers based on cPanel.
I was referencing the bulk of machines / CentOS & RHEL, such for people like brad.
@BradND said: The server is compromised, /lib64/libkeyutils.so.1.9 found
I don't work with Debian machines. This is CentOS / RHEL temporary immunization. Can take the same theory and apply it to your debian machine where-ever the files reside.
It's automated, it won't always change file name. Until they start making variants this is the safest thing for cPanel / RHEL / CentOS users. Not Debian.
Heard numerous mentions of VPS infected (OpenVZ / RHEL / cPanel) as well as bare-metal.
@Alex_LiquidHost
Did you not read what i posted?
I've actually missed it, though.
Well, atleast none of my nodes are compromised or have this lib.
For all Debian users on their high horses it does appear to be affecting you too:
http://www.webhostingtalk.com/showpost.php?p=8565861&postcount=665
Are these getting in without compromised root logins? I'm a little confused as to how they're getting there.
@jarland That's the million dollar question
If any of you aren't doing this currently, I suggest alerts for root logins.
I'm not sure if this varies for debian but for RHEL variants, /root/.bashrc
It doesn't show IP for key logins (suggestions welcome), but it does for passwords (because, yes, I allow root login remotely, happy to explain why in private but I get paranoid on the other side of it so it's not really a security risk). I usually keep a couple different forms of alerts for root logins at least on my nodes. Gets annoying from time to time but better than checking logs later.
Not that I'm suggesting that any of you aren't aware of root logins, just sharing.
anyone has the correct md5hash for debian libkeyutils.so for OpenVZ & KVM & Xen ?
mine it seems various,
I even found libkeyutils.so.1.4 on my debian KVM, very suspicious, dated 11 Feb 2013. if you only check libkeyutils.so.1.9 this one simply by passing it.
The question for Virtualization system, if the node got compromise, this should be easy to infect all the container or VM on that node, at least for OpenVZ, isn't it?
@graca For squeeze:
libkeyutils.so.1.4 is present in wheezy, I don't have that one available but you can always download the package and extract it to compare packages.debian.org/wheezy/amd64/libkeyutils1/download
All my vps are running on debian squeeze, but I found 2 different libkeyutils:
-rw-r--r-- 1 root root 8528 Apr 4 2010 libkeyutils.so.1.3
6affec20aec2654d8906573e2495f289 libkeyutils.so.1.3
-rw-r--r-- 1 root root 6560 Mar 27 2010 libkeyutils.so.1.3
868d4a3cd978a29e7cde097c99884db7 libkeyutils.so.1.3
is it normal?
and somehow I did have libkeyutils.so.1.4 in 1 vps, I'm not sure why this got installed:
-rw-r--r-- 1 root root 12160 Feb 11 2012 libkeyutils.so.1.4
35963e079c10224a65eaa310dc812260 /lib/libkeyutils.so.1.4
The only different is the OS template and some php modules depend on this libkeyutils library, could it be another new php hole?
Doh... I'm running CentOS. But I've protected my servers & a workplace from all kinds of exploits & attacks from outer space!
10cm air gap between the server and the network cable is the best protection
All my Debian systems have either libkeyutils.so.1 or libkeyutils.so.1.3 with the md5 hash 868d4a3cd978a29e7cde097c99884db7
I believe 868d4a3cd978a29e7cde097c99884db7 is the correct (clean) one.
@graca The xen hostnode we posted above isn't running PHP nor mysql
lol @nstorm!
can someone confirm this only affecta 64bit cox im still on old skooln32 bits babeh
wat
32bit too
Doesn't work properly with Debian, unfortunately.
Edit: you're missing backticks.
Any updates on this?
Possibly a malware infection in management machines:
webhostingtalk.com/showpost.php?p=8566599&postcount=830
Done digging in our office and on the firewall in the office... nothing outta the ordinary
Time to start worrying then? Or that was yesterday? :S