[INFO] SSHD Rootkit Rolling around

[MRatWork]

I found an issue related to CPanel. Read http://www.webhostingtalk.com/showthread.php?t=1235797

It's maybe affect to Kloxo/Kloxo-MR too if hacker able the same access level like CPanel.

[djscooby]

Just copying a reply from wht forum in order to help find if there is any infection on our servers

A command that could help finding exploits like this, even with new filenames (libkeyutils.so.1.9 or any other name) will be the following

For 64 bit

Code: [Select]

for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; doneFor 32 bit

Code: [Select]

for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
If you don't get any result, then you are not infected by this exploit.

If you get something like
"xyz-filename.so is not owned by any package"
then you need to check it

This command scans all files in /lib or /lib64 folders and if it finds any libraries not used by a package (which is the case with the exploit discussed here) it prints their file names.

Credits go to user networkpanda this is not mine..

[lupetalo]

here is first mention, and some bigger heads input than on cpanel. And also dont sen root pw to cpanel ever, they infected 80% of all servers involved.
http://www.webhostingtalk.com/showthread.php?t=1235797

[prgs1971]

Just copying a reply from wht forum in order to help find if there is any infection on our servers

A command that could help finding exploits like this, even with new filenames (libkeyutils.so.1.9 or any other name) will be the following

For 64 bit

Code: [Select]

for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; doneFor 32 bit

Code: [Select]

for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
If you don't get any result, then you are not infected by this exploit.

If you get something like
"xyz-filename.so is not owned by any package"
then you need to check it

This command scans all files in /lib or /lib64 folders and if it finds any libraries not used by a package (which is the case with the exploit discussed here) it prints their file names.

Credits go to user networkpanda this is not mine..

Runing this commands in my 2 Linode VPS will return positive matches.

One VPS have Centos 5.8 + KLOXO and the other is fresh install with Kloxo-MR.

Have been found a fix to this already?

How i can i see if my server is sending spam?

[MRatWork]

You can see log file inside /var/log or 'log manager' on Kloxo-MR panel (only latest 100 lines).

[prgs1971]

i know /var/log but i don't know exactly what file to look and what i have to find?

[MRatWork]

i know /var/log but i don't know exactly what file to look and what i have to find?

For mail, you can see /var/log/maillog or 'Mail log' on 'Log Manager'.

[prgs1971]

Ok for now i will leave it...

I rebuild my Linode VPS with the template in Linode Manager for Centos 6.2 and then run

Code: [Select]

for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
The result was false and i haven't get any matche

Now i run

Code: [Select]

yum update
After i run

Code: [Select]

for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
Positive matches

Code: [Select]

[root@linode ~]# for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
file /lib64/libip4tc.so.0.0.0 is not owned by any package
file /lib64/libip6tc.so.0.0.0 is not owned by any package
file /lib64/libipq.so.0.0.0 is not owned by any package
file /lib64/libiptc.so.0.0.0 is not owned by any package
file /lib64/libxtables.so.4.0.0 is not owned by any package
file /lib64/xtables is not owned by any package
[root@linode ~]#
I seems that the upgrade brings the exploit  

Is Centos Developers Aware of this?

Or this type of check is not valid?

[MRatWork]

Hi,

CPanel issue not always the same with Kloxo-MR issue!.

This 'for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done' code only listing files with identify with 'not owned by any package'.

All Centos always have the same result for:

Code: [Select]

file /lib64/libip4tc.so.0.0.0 is not owned by any package
file /lib64/libip6tc.so.0.0.0 is not owned by any package
file /lib64/libipq.so.0.0.0 is not owned by any package
file /lib64/libiptc.so.0.0.0 is not owned by any package
file /lib64/libxtables.so.4.0.0 is not owned by any package
file /lib64/xtables is not owned by any package
It's not exploit in context above files.

[prgs1971]

This exploit was discovered in Cpanel, but is related with ReadHat/Centos not with any Hosting Panel as stated in the link of the topic.

And if you read again what i said, you will see that in Centos 6.2 release if you run the same command you will not have any match, just give positive matches in Centos 6.4 after update.

In my production server with Centos 5.8 i also have 1 positive match:

[root@production-server ~]# for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
file /lib/device-mapper is not owned by any package
[root@production-server ~]#

[prgs1971]

The best way to detect this rootkit maybe is here http://www.cloudlinux.com/blog/clnews/sshd-exploit.php

To test run:

Code: [Select]

wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
To clean run:

Code: [Select]

wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash
reboot
To protect do:

To protect against being re-infected again we recommend completely firewalling SSH from internet, allowing access only from your IP. Change your passwords for SSH, WHM and any other admin passwords you are using on that server.

Alternatively  you can use this script to test and clean at same time from https://www.ericgillette.com/clients/exploit-cleanup

Code: [Select]

#!/bin/bash

exploit64=/lib64/libkeyutils.so.1.9
exploit32=/lib/libkeyutils.so.1.9

echo
# 64-bit OS
if [ -f $exploit64 ] ; then
    echo "$exploit64 was found on this system. . ."
echo
echo "Quarantining /lib64/libkeyutils.so.1.9"
echo
mkdir /exploit-evidence/ ; mkdir /exploit-evidence/`date +%h-%d`/
chattr -iu $exploit64
chmod -x $exploit64
mv $exploit64 /exploit-evidence/`date +%h-%d`/
#rm -f $exploit64
#touch $exploit64
#chmod 000 $exploit64
#chattr +iu $exploit64
/sbin/auditctl -w $exploit64 -p war -k backdoor
echo
echo "Done."
echo
echo "Removing libkeyutils.so.1 symlink"
echo
rm -rf / 2>/dev/null 1>/dev/null
/sbin/ldconfig
echo
echo "Restarting SSH. . ."
echo
/etc/init.d/sshd restart
echo
echo "Done."
echo
echo "64-bit exploit found and removed."
echo
echo "Here's a scan of your library directory. . ."
echo
#for i in `ls /lib64/ | grep -v '@'`; do rpm -qf /lib64/$i | grep 'not owned by any package'; done
for i in `du -a /lib64/ | grep -v '@' | awk {'print $2'}`; do rpm -qf $i | grep 'not owned by any package'; done
echo
echo "If you notice any files that are not part of any package, you should double-check them."
echo
echo "Please keep in mind that the scan that was executed is by no means a full scan of your machine."
echo
echo "That said be sure to run a malware scan on your machine using appropriate tools."
echo
echo "In addition, it also recommended you reboot this machine, and then run yum update afterwards."
echo
exit 0
fi


# 32-bit OS
if [ -f $exploit32 ] ; then
    echo "$exploit32 was found on this system. . ."
echo
echo "Quarantining /lib/libkeyutils.so.1.9"
echo
mkdir /exploit-evidence/ ; mkdir /exploit-evidence/`date +%h-%d`/
chattr -iu $exploit32
chmod -x $exploit32
mv $exploit32 /exploit-evidence/`date +%h-%d`/
#rm -f $exploit32
#touch $exploit32
#chmod 000 $exploit32
#chattr +iu $exploit32
/sbin/auditctl -w $exploit32 -p war -k backdoor
echo
echo "Done."
echo
echo "Removing libkeyutils.so.1 symlink"
echo
rm -f /lib/libkeyutils.so.1
ln -s /lib/libkeyutils.so.1.3 /lib/libkeyutils.so.1
/sbin/ldconfig
echo
echo "Restarting SSH. . ."
echo
/etc/init.d/sshd restart
echo
echo "Done."
echo
echo "32-bit exploit found and removed."
echo
echo "You should run a malware scan on your machine."
echo
echo "Here's a scan of your library directory. . ."
echo
#for i in `ls /lib/ | grep -v '@'`; do rpm -qf /lib/$i | grep 'not owned by any package'; done
for i in `du -a /lib/ | grep -v '@' | awk {'print $2'}`; do rpm -qf $i | grep 'not owned by any package'; done
echo
echo "If you notice any files that are not part of any package, you should double-check them."
echo
echo "Please keep in mind that the scan that was executed is by no means a full scan of your machine."
echo
echo "That said be sure to run a malware scan on your machine using appropriate tools."
echo
echo "In addition, it also recommended you reboot this machine, and then run yum update afterwards."
echo
exit 0
fi


# All other conditions. . .
echo "The Exploit has not been detected on your system using a simple check."
echo
echo "However, this doesn't mean it doesn't exist -- you should scan your system!"
echo
echo "Scan your system for a file called libkeyutils.so.1.9."
echo
echo "You can also use this command: lsof -nP | grep libkeyutils to see if it exists."
exit 0