LOADING
It has newly come to light there is a safety utilize that appears to be moving or targeting Cloud Linux and CentOS operations running cPanel. We understand the venture is done via an SSH server.
SSHD rootKit exploit libkeyutils.so
So far cloudlinux know:
Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
We follow this library is:
Hacker has full root admittance and can do anything with the server. keeping keys, ssh keys & /etc/shadow from the method used as a backdoor to access the server at any time send spam.
Run the following shell script to find if your server infected.
#vi check.sh
#!/bin/bash LIB64=/lib64/libkeyutils.so.1.9 LIB64_1=/lib64/libkeyutils-1.2.so.2 LIB32=/lib/libkeyutils.so.1.9 LIB32_1=/lib/libkeyutils-1.2.so.2 if [ -f $LIB64 ]; then echo The server is compromised, $LIB64 found exit 0 fi if [ -f $LIB64_1 ]; then echo The server is compromised, $LIB64_1 found exit 0 fi if [ -f $LIB32 ]; then echo The server is compromised, $LIB32 found exit 0 fi if [ -f $LIB32_1 ]; then echo The server is compromised, $LIB32_1 found exit 0 fi echo "Cannot find compromised library" exit 1
#chmod 755 check.sh
#sh check.sh
Use the following script to To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN’T FULLY TESTED
#vi clean
#!/bin/bash LIB64_13=/lib64/libkeyutils.so.1.3 LIB64_12=/lib64/libkeyutils-1.2.so LIB64_1=/lib64/libkeyutils.so.1 LIB32_13=/lib/libkeyutils.so.1.3 LIB32_12=/lib/libkeyutils-1.2.so LIB32_1=/lib/libkeyutils.so.1 LIB32="" LIB64="" LIB64_h1=/lib64/libkeyutils.so.1.9 LIB32_h1=/lib/libkeyutils.so.1.9 LIB64_h2=/lib64/libkeyutils-1.2.so.2 LIB32_h2=/lib/libkeyutils-1.2.so.2 LINK="" BAD_LIB="" if [ -f $LIB64_h1 ]; then BAD_LIB=$LIB64_h1 LIB64="HACK" fi if [ -f $LIB64_h2 ]; then BAD_LIB=$LIB64_h2 LIB64="HACK" fi if [ -f $LIB32_h1 ]; then BAD_LIB=$LIB32_h1 LIB64="" LIB32="HACK" fi if [ -f $LIB32_h2 ]; then BAD_LIB=$LIB32_h2 LIB64="" LIB32="HACK" fi #echo $BAD_LIB, 64, $LIB64, 32, $LIB32 if [ "x$LIB64" == "xHACK" ]; then LINK=$LIB64_1 if [ -f $LIB64_12 ]; then FIX_LIB=$LIB64_12 elif [ -f $LIB64_13 ]; then FIX_LIB=$LIB64_13 else echo "Cannot find good libary, giving up" exit 1 fi fi if [ "x$LIB32" == "xHACK" ]; then LINK=$LIB32_1 if [ -f $LIB32_12 ]; then FIX_LIB=$LIB32_12 elif [ -f $LIB32_13 ]; then FIX_LIB=$LIB32_13 else echo "Cannot find good libary, giving up" exit 1 fi fi if [ ! -z "$FIX_LIB" ]; then # echo $LINK, $FIX_LIB $BAD_LIB rm -f $LINK ln -s $FIX_LIB $LINK rm -f $BAD_LIB echo "Clean up is done, please reboot the server ASAP" else echo "Cannot find compromised library" fi
#chmod 755 clean.sh
#sh clean.sh
Reboot your server.
Install CSF/APF firewall and adjust your SSH.
Replace all of your root keys and key pairs from a clean processor.
Keep your server software up-to-date.
Damage root logins and/or firewall off your SSH port.
Upgrade Flash and Java on your networks.
Do malware scans on your networks.
1. SSH to server
2. Run ‘updatedb’
3. Run ‘locate libkeyutils.so.1.9’
Please follow the steps below to clear the expliot.
1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections
For more information, please check with cloud linux blog
our suuport team here for you 24/7
+8801977507015 support@hostrare.com send a leter
Whether you are looking for a personal website hosting plan or a business website hosting plan, We are the perfect solution for you. Our powerful website hosting services will not only help you achieve your overall website goals, but will also provide you with the confidence you need in knowing that you are partnered with a reliable and secure website hosting platform.
Bangladesh