Backdoor imitating ssh - check Your systems for libkeyutils.so.1.9 file...

[AndrzejL]

Many users have reported that on some servers they have noticed suspicious file: libkeyutils.so.1.9 The only "symptom" so far is the fact that from those servers from time to time spam is being sent but everything indicates that the attackers gained root on the machines and can start using them for any other purpose anytime...

No one knows how the file gets on the server. Some say that right after the file was detected they have "burned the machines to the ground" and got fresh systems installed just to find out that the file was there few minutes later. This might suggest attack from the administrators machine. Infected administrator logs into the remote machine and unwillingly / unknowingly places the backdoor on the remote machine. Logs indicate that the attack is performed automatically.

How to check if You were 'rooted'?

Code: [Select]

ls -la /lib64/libkeyutils.so.1.9

Code: [Select]

rpm -qf /lib64/libkeyutils.so.1.9

Code: [Select]

ls -la /lib/libkeyutils.so.1.9

Code: [Select]

rpm -qf /lib/libkeyutils.so.1.9
Those files should not exist.

or:

Code: [Select]

su -c "updatedb" && locate libkeyutils.so.1.9
There should be no output:

[andrzejl@wishmacer ~]$ su -c "updatedb" && locate libkeyutils.so.1.9
Password:
[andrzejl@wishmacer ~]$

Backdoor analysis - is it a 0day attack?

One of the reddit users analyzed the file and found encoded IP in it:

$ ./audit libkeyutils.so.1.9 output
$ strings output |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
78.47.139.110

IP points to domain: RUBOP.COM, which belongs to:

Administrative Contact:
Ibragimov, Sergey pmadison12 at gmail dot com
Polanskay 11
Moskow, Russia 11223

Additionally some users report that some of the backdoored systems during the SSH connection are sending packets to 72.156.139.154 on port 53/UDP (containing users data - plain-text login credentials...)

It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.

Removing the libkeyutils.so.1.9 file from Your server is not really solving anything... Atacker somehow had to access the machine so without knowing the point of entry and patching it You are still vulnerable. There is no confirmed info about which vulnerability attackers are using, is it old - known vulnerability or 0day...

Source: http://niebezpiecznik.pl/post/backdoor-udajacy-biblioteke-ssh-sprawdzcie-swoje-systemy-pod-katem-libkeyutils-so-1-9/

Regards.

Andrzej

[7272andy]

Cheers dude,  all clear here!

Regards

[kjpetrie]

Not sure this isn't a legitimate file name on some systems. We have a link "libkeyutils.so.1" to libkeyutils-1.2.so and I imagine on some systems that could easily be called libkeyutils.so.1.2, so 1.9 could just be a later version.

It might not be the presence of the file, but the altered contents that matters.

[AndrzejL]

Not sure this isn't a legitimate file name on some systems. We have a link "libkeyutils.so.1" to libkeyutils-1.2.so and I imagine on some systems that could easily be called libkeyutils.so.1.2, so 1.9 could just be a later version.

It might not be the presence of the file, but the altered contents that matters.

As far as I know there is no 1.9 version yet so... it's the presence that matters - altho nothing keeps the hackers from changing file name to 1.11 anytime they want... so not having 1.9 version does not means that You are not infected but so far this is what the file is called.

Regards.

Andrzej

[Wildman]

Oh crap, another to keep up with....Thanks, 

[AndrzejL]

Hehe well there is no reason to panic. The hole will be found and patched soonish.

Common sense usage is a must . Example: I am never logging into my server from unknown machines or using clients of unknown origin. I use only my mobile phone to connect to SSH and that's only done when I really need it. Root login is forbidden, port number is changed, only certain users are allowed to use ssh... I do what I can to stay safe...

Regards.

Andrzej

[AndrzejL]

Some more interesting info here and here.

Regards.

Andrzej

[AndrzejL]

Some more info and (possibly working) removal instructions are available here.

Regards.

Andrzej

[kjpetrie]

Those removal commands should probably be chained with '&&'s to minimise the delay between running them. The sync command ensures you don't corrupt the file system by rebooting (and fsck doesn't undo the changes on reboot).

So it probably uses Windows machines as the weak link to target Linux. So much for the gloating of Win fanbois!

[AndrzejL]

Additional possibly related info - cPanel Inc. Server Compromised.

Regards.

Andrzej

[taelti]

Additional possibly related info - cPanel Inc. Server Compromised.

Regards.

Andrzej

Clear here! Thank you.