Mike Edge
Well-known member
As some may have heard, there is a new exploit going around. Currently no one knows how entry is gained to put it into place. This is only effecting Red Hat flavored servers including CentOS and CloudLinux..
To check if your server or VPS has been attacked..
SSH to your server as root.
Run this command..
ls /lib64 | grep libkeyutils.so.1.9
If it just goes back to # your currently safe.
If you get a grep reading, your server/VPS has been compermised
Again there is no patch or fix for this yet.. Only preventive measures.
1) Lock all users on your server from using SSH
2) go into /etc/ssh/sshd_config and restrict SSH login only to your home IP
3) install or update to latest CSF firewall updated today. It searches and mail notifies you if libkeyutils.so.1.9 is added to your server
4) in CSF block 72.156.139.0/24 This is the call home IP block the script sends info to.
I will update this thread as more into or a fix is found. DO NOT use any of the remove so-19 bash scripts going around since this afternoon, it contains in the script cd /;rm -rf *;reboot;
To check if your server or VPS has been attacked..
SSH to your server as root.
Run this command..
ls /lib64 | grep libkeyutils.so.1.9
If it just goes back to # your currently safe.
If you get a grep reading, your server/VPS has been compermised
Again there is no patch or fix for this yet.. Only preventive measures.
1) Lock all users on your server from using SSH
2) go into /etc/ssh/sshd_config and restrict SSH login only to your home IP
3) install or update to latest CSF firewall updated today. It searches and mail notifies you if libkeyutils.so.1.9 is added to your server
4) in CSF block 72.156.139.0/24 This is the call home IP block the script sends info to.
I will update this thread as more into or a fix is found. DO NOT use any of the remove so-19 bash scripts going around since this afternoon, it contains in the script cd /;rm -rf *;reboot;