Knowledgebase
Knowledgebase
SSHD RootKit Security Alert
Posted by Will Kruss on 28 April 2016 05:55 PM

SSH RootKit applies variants of Linux including Ubuntu, Debian, CentOS etc. Find more details on VPSBlocks.

SSH RootKit on Linux based machines security alert (updated 23/02/2013)

Applies To

All variants of Linux including Ubuntu, Debian, CentOS, OpenSUSE, Red Hat

Information

A rootkit has been discovered which leaves a backdoor on the system and gains full root access to Linux based servers.

The cause of the rootkit is not yet known, as such there is NO available patch at this time.

Recommendation

It is recommended to either close SSH access entirely or to only allow your own IP address to connect.

If you use cPanel/WHM you should turn off the SSHD service:

  • Log into WHM -> Service Configuration -> Service Manager
  • Then uncheck 'enabled' for the sshd service and hit 'Save'
  • Then go to WHM -> Restart Services -> SSH Server (OpenSSH) and restart it (this will then shut down SSH and NOT restart it as you disabled it in the previous step)

If you do not use cPanel/WHM and SSHD is your only access to the server, you should secure it to a specific IP address using iptables.

For help on that please see: http://www.debian-administration.org/articles/87 (this will work on all variants of Linux not just Debian)

Check for Infection

All users should check to see if they are infected. To do that run:

wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

If you are found the be infected, this script changes the links back to their original state, although no guarantee is given that it will cleanup anything that has been installed after a compromise:

wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash

A reboot of the server is required in case of infected libraries being found.

Detailed Information
 
For up to date detailed information see here:
 
Currently available information:
  • Rootkit deposits files /lib64/libkeyutils.so.1.9 on 64bit systems and /lib/libkeyutils.so.1.9 on 32bit systems
  • It changes link: /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.
Possible adverse impact of the rootkit:
  • passwords, ssh keys and /etc/shadow stealing
  • backdoor to access the server at any time
  • spam sending from the server
(1 vote(s))
Helpful
Not helpful