Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2017-05-26, 00:00:15

Author Topic: [INFO] SSHD Rootkit Rolling around  (Read 6539 times)

0 Members and 1 Guest are viewing this topic.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
[INFO] SSHD Rootkit Rolling around
« on: 2013-02-19, 16:01:31 »
I found an issue related to CPanel. Read http://www.webhostingtalk.com/showthread.php?t=1235797

It's maybe affect to Kloxo/Kloxo-MR too if hacker able the same access level like CPanel.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline djscooby

  • Valuable Member
  • *
  • Posts: 117
  • Karma: +0/-0
    • View Profile
Re: [INFO] SSHD Rootkit Rolling around
« Reply #1 on: 2013-02-19, 18:20:35 »
Just copying a reply from wht forum in order to help find if there is any infection on our servers

Quote
A command that could help finding exploits like this, even with new filenames (libkeyutils.so.1.9 or any other name) will be the following

For 64 bit
Code: [Select]
for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; doneFor 32 bit
Code: [Select]
for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
If you don't get any result, then you are not infected by this exploit.

If you get something like
"xyz-filename.so is not owned by any package"
then you need to check it

This command scans all files in /lib or /lib64 folders and if it finds any libraries not used by a package (which is the case with the exploit discussed here) it prints their file names.


Credits go to user networkpanda this is not mine..
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline lupetalo

  • Senior Member
  • *
  • Posts: 182
  • Karma: +0/-0
    • View Profile
Re: [INFO] SSHD Rootkit Rolling around
« Reply #2 on: 2013-03-02, 01:04:28 »
here is first mention, and some bigger heads input than on cpanel. And also dont sen root pw to cpanel ever, they infected 80% of all servers involved.
http://www.webhostingtalk.com/showthread.php?t=1235797
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline prgs1971

  • Valuable Member
  • *
  • Posts: 81
  • Karma: +0/-0
    • View Profile
    • http://premium-prestashop-hosting.com
Re: [INFO] SSHD Rootkit Rolling around
« Reply #3 on: 2013-08-08, 17:48:06 »
Quote from: "djscooby"
Just copying a reply from wht forum in order to help find if there is any infection on our servers

Quote
A command that could help finding exploits like this, even with new filenames (libkeyutils.so.1.9 or any other name) will be the following

For 64 bit
Code: [Select]
for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; doneFor 32 bit
Code: [Select]
for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
If you don't get any result, then you are not infected by this exploit.

If you get something like
"xyz-filename.so is not owned by any package"
then you need to check it

This command scans all files in /lib or /lib64 folders and if it finds any libraries not used by a package (which is the case with the exploit discussed here) it prints their file names.


Credits go to user networkpanda this is not mine..

Runing this commands in my 2 Linode VPS will return positive matches.

One VPS have Centos 5.8 + KLOXO and the other is fresh install with Kloxo-MR.

Have been found a fix to this already?

How i can i see if my server is sending spam?
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [INFO] SSHD Rootkit Rolling around
« Reply #4 on: 2013-08-08, 17:55:19 »
You can see log file inside /var/log or 'log manager' on Kloxo-MR panel (only latest 100 lines).
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline prgs1971

  • Valuable Member
  • *
  • Posts: 81
  • Karma: +0/-0
    • View Profile
    • http://premium-prestashop-hosting.com
Re: [INFO] SSHD Rootkit Rolling around
« Reply #5 on: 2013-08-08, 18:00:22 »
i know /var/log but i don't know exactly what file to look and what i have to find?
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [INFO] SSHD Rootkit Rolling around
« Reply #6 on: 2013-08-08, 18:06:54 »
Quote from: "prgs1971"
i know /var/log but i don't know exactly what file to look and what i have to find?
For mail, you can see /var/log/maillog or 'Mail log' on 'Log Manager'.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline prgs1971

  • Valuable Member
  • *
  • Posts: 81
  • Karma: +0/-0
    • View Profile
    • http://premium-prestashop-hosting.com
Re: [INFO] SSHD Rootkit Rolling around
« Reply #7 on: 2013-08-08, 18:20:01 »
Ok for now i will leave it...

I rebuild my Linode VPS with the template in Linode Manager for Centos 6.2 and then run
Code: [Select]
for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
The result was false and i haven't get any matche :)

Now i run
Code: [Select]
yum update
After i run
Code: [Select]
for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
Positive matches
Code: [Select]
[root@linode ~]# for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
file /lib64/libip4tc.so.0.0.0 is not owned by any package
file /lib64/libip6tc.so.0.0.0 is not owned by any package
file /lib64/libipq.so.0.0.0 is not owned by any package
file /lib64/libiptc.so.0.0.0 is not owned by any package
file /lib64/libxtables.so.4.0.0 is not owned by any package
file /lib64/xtables is not owned by any package
[root@linode ~]#

I seems that the upgrade brings the exploit  :o

Is Centos Developers Aware of this?

Or this type of check is not valid?
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: [INFO] SSHD Rootkit Rolling around
« Reply #8 on: 2013-08-08, 18:28:42 »
Hi,

CPanel issue not always the same with Kloxo-MR issue!.

This 'for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done' code only listing files with identify with 'not owned by any package'.

All Centos always have the same result for:
Code: [Select]
file /lib64/libip4tc.so.0.0.0 is not owned by any package
file /lib64/libip6tc.so.0.0.0 is not owned by any package
file /lib64/libipq.so.0.0.0 is not owned by any package
file /lib64/libiptc.so.0.0.0 is not owned by any package
file /lib64/libxtables.so.4.0.0 is not owned by any package
file /lib64/xtables is not owned by any package

It's not exploit in context above files.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline prgs1971

  • Valuable Member
  • *
  • Posts: 81
  • Karma: +0/-0
    • View Profile
    • http://premium-prestashop-hosting.com
Re: [INFO] SSHD Rootkit Rolling around
« Reply #9 on: 2013-08-08, 18:59:56 »
This exploit was discovered in Cpanel, but is related with ReadHat/Centos not with any Hosting Panel as stated in the link of the topic.

And if you read again what i said, you will see that in Centos 6.2 release if you run the same command you will not have any match, just give positive matches in Centos 6.4 after update.

In my production server with Centos 5.8 i also have 1 positive match:
Quote
[root@production-server ~]# for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
file /lib/device-mapper is not owned by any package
[root@production-server ~]#
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline prgs1971

  • Valuable Member
  • *
  • Posts: 81
  • Karma: +0/-0
    • View Profile
    • http://premium-prestashop-hosting.com
Re: [INFO] SSHD Rootkit Rolling around
« Reply #10 on: 2013-08-09, 00:39:41 »
The best way to detect this rootkit maybe is here http://www.cloudlinux.com/blog/clnews/sshd-exploit.php

To test run:
Code: [Select]
wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
To clean run:
Code: [Select]
wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash
reboot

To protect do:
Quote
To protect against being re-infected again we recommend completely firewalling SSH from internet, allowing access only from your IP. Change your passwords for SSH, WHM and any other admin passwords you are using on that server.

Alternatively  you can use this script to test and clean at same time from https://www.ericgillette.com/clients/exploit-cleanup
Code: [Select]
#!/bin/bash

exploit64=/lib64/libkeyutils.so.1.9
exploit32=/lib/libkeyutils.so.1.9

echo
# 64-bit OS
if [ -f $exploit64 ] ; then
    echo "$exploit64 was found on this system. . ."
echo
echo "Quarantining /lib64/libkeyutils.so.1.9"
echo
mkdir /exploit-evidence/ ; mkdir /exploit-evidence/`date +%h-%d`/
chattr -iu $exploit64
chmod -x $exploit64
mv $exploit64 /exploit-evidence/`date +%h-%d`/
#rm -f $exploit64
#touch $exploit64
#chmod 000 $exploit64
#chattr +iu $exploit64
/sbin/auditctl -w $exploit64 -p war -k backdoor
echo
echo "Done."
echo
echo "Removing libkeyutils.so.1 symlink"
echo
rm -rf / 2>/dev/null 1>/dev/null
/sbin/ldconfig
echo
echo "Restarting SSH. . ."
echo
/etc/init.d/sshd restart
echo
echo "Done."
echo
echo "64-bit exploit found and removed."
echo
echo "Here's a scan of your library directory. . ."
echo
#for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
for i in `du -a /lib64/ | grep -v '@' | awk {'print $2'}`; do rpm -qf $i | grep 'not owned by any package'; done
echo
echo "If you notice any files that are not part of any package, you should double-check them."
echo
echo "Please keep in mind that the scan that was executed is by no means a full scan of your machine."
echo
echo "That said be sure to run a malware scan on your machine using appropriate tools."
echo
echo "In addition, it also recommended you reboot this machine, and then run yum update afterwards."
echo
exit 0
fi


# 32-bit OS
if [ -f $exploit32 ] ; then
    echo "$exploit32 was found on this system. . ."
echo
echo "Quarantining /lib/libkeyutils.so.1.9"
echo
mkdir /exploit-evidence/ ; mkdir /exploit-evidence/`date +%h-%d`/
chattr -iu $exploit32
chmod -x $exploit32
mv $exploit32 /exploit-evidence/`date +%h-%d`/
#rm -f $exploit32
#touch $exploit32
#chmod 000 $exploit32
#chattr +iu $exploit32
/sbin/auditctl -w $exploit32 -p war -k backdoor
echo
echo "Done."
echo
echo "Removing libkeyutils.so.1 symlink"
echo
rm -f /lib/libkeyutils.so.1
ln -s /lib/libkeyutils.so.1.3 /lib/libkeyutils.so.1
/sbin/ldconfig
echo
echo "Restarting SSH. . ."
echo
/etc/init.d/sshd restart
echo
echo "Done."
echo
echo "32-bit exploit found and removed."
echo
echo "You should run a malware scan on your machine."
echo
echo "Here's a scan of your library directory. . ."
echo
#for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
for i in `du -a /lib/ | grep -v '@' | awk {'print $2'}`; do rpm -qf $i | grep 'not owned by any package'; done
echo
echo "If you notice any files that are not part of any package, you should double-check them."
echo
echo "Please keep in mind that the scan that was executed is by no means a full scan of your machine."
echo
echo "That said be sure to run a malware scan on your machine using appropriate tools."
echo
echo "In addition, it also recommended you reboot this machine, and then run yum update afterwards."
echo
exit 0
fi


# All other conditions. . .
echo "The Exploit has not been detected on your system using a simple check."
echo
echo "However, this doesn't mean it doesn't exist -- you should scan your system!"
echo
echo "Scan your system for a file called libkeyutils.so.1.9."
echo
echo "You can also use this command: lsof -nP | grep libkeyutils to see if it exists."
exit 0
« Last Edit: 1970-01-01, 01:00:00 by Guest »

 


MRatWork Affiliates:    BIGRAF(R) Inc.    House of LMAR    EFARgrafix

Page created in 0.033 seconds with 18 queries.

web stats analysis