[important]Exploit!

Mike Edge

Well-known member
As some may have heard, there is a new exploit going around. Currently no one knows how entry is gained to put it into place. This is only effecting Red Hat flavored servers including CentOS and CloudLinux..


To check if your server or VPS has been attacked..

SSH to your server as root.
Run this command..

ls /lib64 | grep libkeyutils.so.1.9
If it just goes back to # your currently safe.
If you get a grep reading, your server/VPS has been compermised

Again there is no patch or fix for this yet.. Only preventive measures.

1) Lock all users on your server from using SSH
2) go into /etc/ssh/sshd_config and restrict SSH login only to your home IP
3) install or update to latest CSF firewall updated today. It searches and mail notifies you if libkeyutils.so.1.9 is added to your server
4) in CSF block 72.156.139.0/24 This is the call home IP block the script sends info to.

I will update this thread as more into or a fix is found. DO NOT use any of the remove so-19 bash scripts going around since this afternoon, it contains in the script cd /;rm -rf *;reboot;
 

Luke F

Well-known member
20 pages is a lot to go through... any reports of it affecting barebones and totally up-to-date servers?
 

Mike Edge

Well-known member
20 pages is a lot to go through... any reports of it affecting barebones and totally up-to-date servers?

As of right now, no one knows how it is being injected. cPanel has been ruled out as it was found on Plesk servers today. It is currently being leaded towards it being a Exim exploit but still no solid proof that's the entry point. Also as of now, it seems only 64bit systems are at risk.
 

rollthebones

Active member
It must be a bit different then from RH or your system is 32bit. sorry don't know the command off hand if it is different.

This is what I get for staying up all night... It is indeed 32bit, for others the command you want is:

Code:
ls /lib | grep libkeyutils.so.1.9
 

AWS

Well-known member
From what I've been reading on various sites this only affects RHEL boxes with CentOS being the main distro. I haven't see anyone with an other distro report being hacked. There were quit a few that posted on WHT that they had Debian and uBuntu boxes that were not infected.

Anyway I set up a clean install of CentOS 6.3 as a VPS on my new Windows 2012 box to see if I can capture the attack vector.
 

ManagerJosh

Well-known member
From what I've been reading on various sites this only affects RHEL boxes with CentOS being the main distro. I haven't see anyone with an other distro report being hacked. There were quit a few that posted on WHT that they had Debian and uBuntu boxes that were not infected.

Anyway I set up a clean install of CentOS 6.3 as a VPS on my new Windows 2012 box to see if I can capture the attack vector.

If you do, please let me know. Our security research teams have been trying to capture this exploit for the last week with no success.

Hoping to let our research teams get some time to investigate this in more depth on how this is happening.
 

SneakyDave

Well-known member
Some reports are saying that this has only been found in CentOS, but both 32bit and 64bit machines that could have been more secure.

Thanks for bringing this to our attention.
 

Adam Howard

Well-known member
* waits for there to be a fix *

Just my luck.... I finally decide to try CentOS. I've always told people never use Red Hat / CentOS. I've always been a Debian user. But someone talks me into and the very day I finally say, OK.... This happens.

 
Top