SSHD RootKit Security Alert
Posted by Will Kruss on 28 April 2016 05:55 PM
|
|
SSH RootKit applies variants of Linux including Ubuntu, Debian, CentOS etc. Find more details on VPSBlocks. SSH RootKit on Linux based machines security alert (updated 23/02/2013) Applies To All variants of Linux including Ubuntu, Debian, CentOS, OpenSUSE, Red Hat Information A rootkit has been discovered which leaves a backdoor on the system and gains full root access to Linux based servers. The cause of the rootkit is not yet known, as such there is NO available patch at this time. Recommendation It is recommended to either close SSH access entirely or to only allow your own IP address to connect. If you use cPanel/WHM you should turn off the SSHD service:
If you do not use cPanel/WHM and SSHD is your only access to the server, you should secure it to a specific IP address using iptables. For help on that please see: http://www.debian-administration.org/articles/87 (this will work on all variants of Linux not just Debian) Check for Infection All users should check to see if they are infected. To do that run: wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash If you are found the be infected, this script changes the links back to their original state, although no guarantee is given that it will cleanup anything that has been installed after a compromise: wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash A reboot of the server is required in case of infected libraries being found. Detailed Information
For up to date detailed information see here:
Currently available information:
Possible adverse impact of the rootkit:
| |
|