The attack vector of a SSHD exploit affecting servers in the web hosting community is still unknown, two weeks after it was detected by a Web Hosting Talk community member.
So far, what is known is that if /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9 exists on your server, it is likely to be compromised at the root level and is currently sending out spam. If a server has been rooted, the only way to guarantee a clean server is to wipe drives and do a clean installation.
“Based on community input, it appears that both RHEL-based and Debian servers are affected. Servers with control panels such as cPanel, DirectAdmin, and Plesk are also affected,” according to Orien Wu, Web Hosting Talk social media coordinator. “Servers with both standard and non-standard SSH ports are vulnerable and even servers that only accept key authentication have been compromised. Consider all passwords (including root) and private/public keys compromised. If you’ve made SSH connections to other servers from your exploited server, that login information is likely also compromised.”
Read more on Web Hosting Talk SSHD Rootkit Rolling around
In a blog post, CloudLinux says the library is stealing passwords, sending spam and is used as a backdoor to access the server at any time.
“We have seen the change in the payload over time. Hacker has full root access, and can do absolutely anything with the server. We have noticed that once cleaned up, servers often get re-infected,” CloudLinux CEO and founder Igor Seletskiy writes in a blog post.
cPanel also issued a statement after detecting a compromised server used in its technical support department.
“While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with ‘sudo’ or ‘su’ for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis,” cPanel states. “As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel’s security team is continuing to investigate the nature of this security issue.”
Talk back: Have you noticed the SSHD rootkit on your servers? What have you done to clean up your infected servers? Let us know in a comment.
About Nicole Henderson
Nicole Henderson is the Editor in Chief of the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto. You can find her on Twitter @NicoleHenderson.
{ 4 comments… read them below or add one }
The most effective way to protect against this expliot is by restricting access to SSH to your IP address only. Also,official patch package updates are soon to be released. Source: http://stacklinux.com/discussion/63/sshd-rootkit-fix-details-and-how-to-protect-your-server
I’ll happily admit that we found this on our servers. We’re pretty sure that we were one of the unfortunate groups to be affected by cPanel’s support team here. Honestly, any hosting provider should do a rebuild if they found this rootkit as once root’s compromised, all bets are off. Thankfully for us, we were just about to decommission the affected server so we just turned it off!
There is one huge omission that must be pointed out. A great deal, if not most of the credit for handling this exploit must be given to Steven Ciaburri of Rack911. He is responsible for discovery and first report of this exploit, heading the efforts to unravel how it works, and for figuring out how it managed to spread to different Linux-based systems using different software configurations.
There are many places these discussions could have taken place (other communities arguably more appropriate for a this sort of deep, specific security discussion). I think it’s pretty fantastic that Steven’s chose to make the WebHostingTalk.com community ground zero for the dissection of this exploit. It is choices such as this that are the reason WHT is the largest, most influential web hosting community on the Internet.
No, not a trace of the above rootkit file(s). After all, it has to get uploaded somehow first.