The attack vector of a SSHD exploit affecting servers in the web hosting community is still unknown, two weeks after it was detected by a Web Hosting Talk community member.
So far, what is known is that if /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9 exists on your server, it is likely to be compromised at the root level and is currently sending out spam. If a server has been rooted, the only way to guarantee a clean server is to wipe drives and do a clean installation.
“Based on community input, it appears that both RHEL-based and Debian servers are affected. Servers with control panels such as cPanel, DirectAdmin, and Plesk are also affected,” according to Orien Wu, Web Hosting Talk social media coordinator. “Servers with both standard and non-standard SSH ports are vulnerable and even servers that only accept key authentication have been compromised. Consider all passwords (including root) and private/public keys compromised. If you’ve made SSH connections to other servers from your exploited server, that login information is likely also compromised.”
Read more on Web Hosting Talk SSHD Rootkit Rolling around
“We have seen the change in the payload over time. Hacker has full root access, and can do absolutely anything with the server. We have noticed that once cleaned up, servers often get re-infected,” CloudLinux CEO and founder Igor Seletskiy writes in a blog post.
cPanel also issued a statement after detecting a compromised server used in its technical support department.
“While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with ‘sudo’ or ‘su’ for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis,” cPanel states. “As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel’s security team is continuing to investigate the nature of this security issue.”
Talk back: Have you noticed the SSHD rootkit on your servers? What have you done to clean up your infected servers? Let us know in a comment.