Results 1 to 25 of 1523
Thread: SSHD Rootkit Rolling around
-
02-08-2013, 12:59 AM #1Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
SSHD Rootkit Rolling around
Quick survey, anyone seen a rootkit being used to send spam through sshd involving a library called 'libkeyutils.so.1.9'?
If so what OS did you see it on?Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-08-2013, 08:51 AM #2Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
The "sending spam through sshd" part sounds familiar, and /lib64/libkeyutils.so.1.9 is present on the hacked system but not on other Centos 6.3 servers. The techs (unreliable?) reported a root login wasn't prevented by a password change.
CentOS release 6.3 (Final)
md5sum /lib64/libkeyutils.so.1.9
c1f53b3ecb05102d46f1d533fe093529 /lib64/libkeyutils.so.1.9
-rwxr-xr-x 1 root root 34584 Jun 22 2012 /lib64/libkeyutils.so.1.9*
rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
uname -r: 2.6.32-279.14.1.el6.x86_64.debug
-
02-08-2013, 12:35 PM #3Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
I too can confirm this. Currently working with clients with spam issues and it is present. I checked other boxes we run and own and the library is no where to be found. It is only found on spam infested machines.
uname -a
2.6.32-042stab059.7
md5sum /lib64/libkeyutils.so.1.9
d81217186da61125f4dad7a87857b697 /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
-
02-08-2013, 01:19 PM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
They are not logging in with root, nor are they even spawning a bash process.
If the lib is moved out, and sshd is restarted they cannot login anymore fwiw.
The key is finding out how they are getting in. Fully upgraded, ssh key restricted sshd, on non-standard ports are being compromised.
None of my customers are, but I have been getting alot of sales inquiries with this issue so I don't know the full history of the machines.
Seeing it on centos 5, centos 6, cloudlinux 5, cloudlinux 6.Last edited by Steven; 02-08-2013 at 01:27 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-08-2013, 03:43 PM #5Aspiring Evangelist
- Join Date
- Sep 2000
- Posts
- 429
I haven't seen this yet, but will keep my eye out.
64 bit only systems are what you are seeing? Are tcpwrappers or firewall offing ssh making a difference?
-
02-08-2013, 04:41 PM #6Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Firewalling off ssh stopped them on the machine I was looking at.
And the machine was 64 bit.
FWIW I suspect they are getting in initially some other way than ssh, but have no evidence.
-
02-08-2013, 05:28 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
John,
Iptables will stop them.
Tcpwrappers does not.
Brianoz,
Its unlikely its ssh, found a box that had the file but ssh was disabled with a hw firewall.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-09-2013, 08:43 AM #8Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Steven - sorry for being unclear. I didn't mean to imply the initial attack was from ssh; what I meant was that an iptables block on ssh stopped them reconnecting, exactly as you've seen.
Is the following consistent with what you've seen?
1. User account compromised at PHP level
2. Compromised account used to hack root and backdoor sshd via libkeyutils
3. Spam sent
The question being, how is the #2 root hack being done, #1 could be through any vulnerable site CMS etc.
-
02-09-2013, 09:13 AM #9Newbie
- Join Date
- Feb 2006
- Posts
- 19
A quick search showed a couple of web hosts, cleaned up now apparently, where any leading (doc root?) directory names include "sym" and "lib" (as in /%{accountname}/sym/lib%{arch}) but most often "/sym/root/usr/lib%{arch}/". Would anyone of you be able to dump a copy of the file(s) at sourceforge +.net/tracker/ +?group_id=155034&atid=794187 or send it to me for analysis? Much appreciated, TIA.
Last edited by unSpawn; 02-09-2013 at 09:28 AM. Reason: //More *is* more
-
02-09-2013, 09:24 AM #10Newbie
- Join Date
- Feb 2006
- Posts
- 19
If you don't mind me asking:
- What do you exactly mean with "account compromised at PHP level"? Do you mean the attacker leveraged a known vulnerability in a product or is it a guess?
- Did this compromised account have a valid shell? Does its shell history show any "interesting" commands like wget, cURL or other downloads? Do system or daemon logs show any commands related to this users account? Did the user dump files in the system? Does a quick LMD scan reveal any PHP shells or other unwanted items?
- If you trawl your logs, could you guesstimate how much time there would have been approximately between the initial breach and the root compromise?
-
02-09-2013, 05:48 PM #11Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Could you state the names of the files you're looking for a little more clearly? Couldn't see anything like /home/*/sym/lib or /home/*/sym/usr/lib ...
In other words, a standard shared server compromise where old WordPress/Joomla/etc installs or plugins are used to break into an account and run as that user.
- Did this compromised account have a valid shell? Does its shell history show any "interesting" commands like wget, cURL or other downloads? Do system or daemon logs show any commands related to this users account?
- If you trawl your logs, could you guesstimate how much time there would have been approximately between the initial breach and the root compromise?
-
02-09-2013, 07:06 PM #12Newbie
- Join Date
- Feb 2006
- Posts
- 19
-
02-11-2013, 08:25 AM #13Web Hosting Master
- Join Date
- Jun 2001
- Location
- Princeton
- Posts
- 1,029
Anyone has details on the software / versions being installed on the server?
Something like rpm -qa from the servers would be very nice start.Igor Seletskiy
CEO @ Cloud Linux Inc
http://www.cloudlinux.com
CloudLinux -- The OS that can make your Shared Hosting stable
-
02-12-2013, 09:36 PM #14Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Output of rpm-qa: http://pastebin.com/nTc8wj3U
Output of rpm -Va (verify): http://pastebin.com/Fz0AxR3W
The "5" means modification, which is often benign, but may help. The -Va was run on a fully infected system, some changes may have been made by the time the -qa output was obtained.
See my post #2 above for matching O/S version etc:
Last edited by brianoz; 02-12-2013 at 09:40 PM. Reason: add OS version
-
02-12-2013, 11:15 PM #15Web Hosting Master
- Join Date
- Jun 2001
- Location
- Princeton
- Posts
- 1,029
Which control panel do affect servers run?
Anyone knows how they are getting infected yet?Igor Seletskiy
CEO @ Cloud Linux Inc
http://www.cloudlinux.com
CloudLinux -- The OS that can make your Shared Hosting stable
-
02-13-2013, 12:05 AM #16Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
-
02-13-2013, 02:15 AM #17Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
cPanel, and also poorly secured. We don't know how they are getting to root to install the backdoor yet.
-
02-13-2013, 03:30 AM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Trying to tackle all angles, what imap/pop3 server are you seeing on the servers (dovecot vs courier)?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-13-2013, 03:43 AM #19Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
FYI, courier on the only server I know that was exploited.
-
02-13-2013, 11:55 AM #20Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
What about you SolidShellSecurity ?
Could be off base here, but I have not seen a server with dovecot exploited.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-13-2013, 12:05 PM #21Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Been so long since a Courier IMAP exploit existed... What FTP daemon were all of those boxes running?
-
02-13-2013, 02:41 PM #22Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
-
02-13-2013, 02:58 PM #23Aspiring Evangelist
- Join Date
- Sep 2000
- Posts
- 429
Just with the fact only 64 bit servers (so far) are known to be exploited, it could be related to past exploits on 64 bit systems. Its been a while there, but I wouldn't discount previously hacked machines from that kind of exploit.
-
02-13-2013, 04:02 PM #24WHT Addict
- Join Date
- May 2003
- Location
- Texas
- Posts
- 154
How did you come to the conclusion on finding /lib64/libkeyutils.so.1.9 in the first place? What led you to this file?
█ DDoS Protected Chicago and New York Virtual Private Servers with INSTANT setup!
█ RAID-10 OpenVZ Virtual Private Servers with hundreds of OS templates!
█ CometVPS.com - We're all about customer experience. Try us!
-
02-13-2013, 09:48 PM #25Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM