[important]Exploit!

Mike Edge

Well-known member
As some may have heard, there is a new exploit going around. Currently no one knows how entry is gained to put it into place. This is only effecting Red Hat flavored servers including CentOS and CloudLinux..


To check if your server or VPS has been attacked..

SSH to your server as root.
Run this command..

ls /lib64 | grep libkeyutils.so.1.9
If it just goes back to # your currently safe.
If you get a grep reading, your server/VPS has been compermised

Again there is no patch or fix for this yet.. Only preventive measures.

1) Lock all users on your server from using SSH
2) go into /etc/ssh/sshd_config and restrict SSH login only to your home IP
3) install or update to latest CSF firewall updated today. It searches and mail notifies you if libkeyutils.so.1.9 is added to your server
4) in CSF block 72.156.139.0/24 This is the call home IP block the script sends info to.

I will update this thread as more into or a fix is found. DO NOT use any of the remove so-19 bash scripts going around since this afternoon, it contains in the script cd /;rm -rf *;reboot;
 
20 pages is a lot to go through... any reports of it affecting barebones and totally up-to-date servers?

As of right now, no one knows how it is being injected. cPanel has been ruled out as it was found on Plesk servers today. It is currently being leaded towards it being a Exim exploit but still no solid proof that's the entry point. Also as of now, it seems only 64bit systems are at risk.
 
From what I've been reading on various sites this only affects RHEL boxes with CentOS being the main distro. I haven't see anyone with an other distro report being hacked. There were quit a few that posted on WHT that they had Debian and uBuntu boxes that were not infected.

Anyway I set up a clean install of CentOS 6.3 as a VPS on my new Windows 2012 box to see if I can capture the attack vector.
 
From what I've been reading on various sites this only affects RHEL boxes with CentOS being the main distro. I haven't see anyone with an other distro report being hacked. There were quit a few that posted on WHT that they had Debian and uBuntu boxes that were not infected.

Anyway I set up a clean install of CentOS 6.3 as a VPS on my new Windows 2012 box to see if I can capture the attack vector.

If you do, please let me know. Our security research teams have been trying to capture this exploit for the last week with no success.

Hoping to let our research teams get some time to investigate this in more depth on how this is happening.
 
Some reports are saying that this has only been found in CentOS, but both 32bit and 64bit machines that could have been more secure.

Thanks for bringing this to our attention.
 
* waits for there to be a fix *

Just my luck.... I finally decide to try CentOS. I've always told people never use Red Hat / CentOS. I've always been a Debian user. But someone talks me into and the very day I finally say, OK.... This happens.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Top Bottom