1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.


Discussion in 'Off Topic' started by Da Bookie Mon, Feb 18, 2013.

  1. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    As some may have heard, there is a new exploit going around. Currently no one knows how entry is gained to put it into place. This is only effecting Red Hat flavored servers including CentOS and CloudLinux..

    To check if your server or VPS has been attacked..

    SSH to your server as root.
    Run this command..

    ls /lib64 | grep libkeyutils.so.1.9
    If it just goes back to # your currently safe.
    If you get a grep reading, your server/VPS has been compermised

    Again there is no patch or fix for this yet.. Only preventive measures.

    1) Lock all users on your server from using SSH
    2) go into /etc/ssh/sshd_config and restrict SSH login only to your home IP
    3) install or update to latest CSF firewall updated today. It searches and mail notifies you if libkeyutils.so.1.9 is added to your server
    4) in CSF block This is the call home IP block the script sends info to.

    I will update this thread as more into or a fix is found. DO NOT use any of the remove so-19 bash scripts going around since this afternoon, it contains in the script cd /;rm -rf *;reboot;
    p4guru, D.O.A., Brad L and 5 others like this.
  2. Mouth

    Mouth Well-Known Member

  3. Luke F

    Luke F Well-Known Member

    20 pages is a lot to go through... any reports of it affecting barebones and totally up-to-date servers?
  4. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    As of right now, no one knows how it is being injected. cPanel has been ruled out as it was found on Plesk servers today. It is currently being leaded towards it being a Exim exploit but still no solid proof that's the entry point. Also as of now, it seems only 64bit systems are at risk.
  5. rollthebones

    rollthebones Active Member

    ➜  ~  ls /lib64 | grep libkeyutils.so.1.9
    ls: cannot access /lib64: No such file or directory
  6. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    What OS?
  7. rollthebones

    rollthebones Active Member

    Ubuntu Quantal.
  8. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    It must be a bit different then from RH or your system is 32bit. sorry don't know the command off hand if it is different.
  9. rollthebones

    rollthebones Active Member

    This is what I get for staying up all night... It is indeed 32bit, for others the command you want is:

    ls /lib | grep libkeyutils.so.1.9
  10. AWS

    AWS Well-Known Member

    From what I've been reading on various sites this only affects RHEL boxes with CentOS being the main distro. I haven't see anyone with an other distro report being hacked. There were quit a few that posted on WHT that they had Debian and uBuntu boxes that were not infected.

    Anyway I set up a clean install of CentOS 6.3 as a VPS on my new Windows 2012 box to see if I can capture the attack vector.
  11. ManagerJosh

    ManagerJosh Well-Known Member

    If you do, please let me know. Our security research teams have been trying to capture this exploit for the last week with no success.

    Hoping to let our research teams get some time to investigate this in more depth on how this is happening.
  12. SneakyDave

    SneakyDave Well-Known Member

    Some reports are saying that this has only been found in CentOS, but both 32bit and 64bit machines that could have been more secure.

    Thanks for bringing this to our attention.
  13. dieketzer

    dieketzer Well-Known Member

    *smirks smugly
  14. Brandon Sheley

    Brandon Sheley Well-Known Member

    My setup is clear :)

    Thanks for the info
  15. D.O.A.

    D.O.A. Well-Known Member

  16. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    Maybe, but not proven yet. Highest chances right now is kernel or EXIM, but still no one knows for sure.

    Also disregard my Ubuntu earlier, as that has now been said to be false and just posted by the "me too wagon"
  17. Adam Howard

    Adam Howard Well-Known Member

    * waits for there to be a fix *

    Just my luck.... I finally decide to try CentOS. I've always told people never use Red Hat / CentOS. I've always been a Debian user. But someone talks me into and the very day I finally say, OK.... This happens.

    dieketzer, D.O.A. and 0xym0r0n like this.
  18. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    Update.. Igor at Cloud Linux is now saying it has been proven to be effecting non-RH distros too and now is believed the exploit is vis SSH daemon, not kernel or Exim as earlier thought.

    Update has been posted to his blog http://www.cloudlinux.com/blog/clnews/sshd-exploit.php Currently there still is no fix, just precautions.
    Adam Howard, Shelley and Luke F like this.
  19. AWS

    AWS Well-Known Member

    I'm still skeptical about that. I have a Debian server online that is not affected.
  20. Da Bookie Mon

    Da Bookie Mon Well-Known Member

    Well I have 3 CentOS servers and not affected either. The true key here is knowing how to correctly harden a server from the start :)
    D.O.A. likes this.

Share This Page