0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 (Warning)

[Loonycgb2]

HOW TO FIND OUT IF YOU HAVE BEEN ROOTED:

ls -la /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9


 ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9

If you find the file and RPM shows “is not owned by any package” you have been rooted.


http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/


P.S. I have seen original makers comment of this exploit and it is being forced onto the system by perl attacks so please disable compilers and also limit perl to root by chmod or else you will get rooted

 

[Tango]

I found some info

http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/

 

[Storming]

^ Was already included by OP :P

Though have been following this over at WHT - Has anybody else came across this yet?

 

[concerto49]

It's all over WHT, LET, cPanel forums etc... very wide spread.

 

[Tango]

Has anyone here found there box rooted?

I thought this thread would have loads of replies with all the web-hosts around.

 

[Storming]

^ Exactly what I was expecting, I haven't came across it yet.

 

[JmZ]

Very few of them know anything about system administration. They throw up the appropriate newb-friendly panels and start selling hosting, its surprising how few of them understand their own product/service.

Anyhow, seems its a serious(ish) vuln i suppose.

 

[Loonycgb2]

Well being that some users are not well equiped with knowledge to keep from being rooted the easiest possible solution to stopping this from happening is creating one of those files on your server and chmod to something that cannot be used by the system account.