our servers were infected by the libkeyutils virus. some of the servers had this file libkeyutils.so.1.9. other servers that were infected had a libkeyutils.so file with a different version. a cpanel analyst told us to run following command to check for the virus:
strings full_path_of_libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'
just checking for libkeyutils.so.1.9 file alone is not enough to confirm the virus. each libkeyutils.so file must be checked for presence of network related functions. the above command basically checks for networking related functions in the libkeyutils.so file. these functions are not present in the default libkeyutils.so file and can be used for spamming, allowing ssh access etc.the command "strings" can be found in binutils package. the following command can be used to locate all libkeyutils.so files:
locate libkeyutils.so
Thanks for the info nadir.latif.
[root@wishmacer andrzejl]# updatedb
[root@wishmacer andrzejl]# locate libkeyutils.so
/usr/lib/libkeyutils.so
/usr/lib/libkeyutils.so.1
/usr/lib/libkeyutils.so.1.4
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so.1 | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so.1.4 | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]#
It seems that I am fine...
Regards.
Andrzej
]]>strings full_path_of_libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'
just checking for libkeyutils.so.1.9 file alone is not enough to confirm the virus. each libkeyutils.so file must be checked for presence of network related functions. the above command basically checks for networking related functions in the libkeyutils.so file. these functions are not present in the default libkeyutils.so file and can be used for spamming, allowing ssh access etc.the command "strings" can be found in binutils package. the following command can be used to locate all libkeyutils.so files:
locate libkeyutils.so
]]>Thanks for pointing it out.
Additional info possibly related to the topic: http://blog.sucuri.net/2013/02/cpanel-i … mised.html
Regards.
Andrzej
]]>Pierre wrote:It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html
I am sorry but I do not understand... Should I modify the first post in this thread and change it's content to quote?
You start the thread with "Many users have ..." and I think Pierre suggested that you state the post being a quote right at the beginning too and maybe clarify the term "user" so that it cannot be misinterpreted that _Arch _users are referred to there. But that it is referred to Linux users or specifically users from that _webhosting_forum_ which you then link/quote from further.
To be fair to that journalist: he links this thread later as a summary of a "first analysis" when he mentions that specific IP address and a bit bash from your post. However, there is a mention of Arch users reporting being affected earlier in the article (before the link and right before Debian ..) and this might (or might not) have been due a misunderstanding of that "users" term in the post.
]]>Still, articles like this really make me question the intelligence of journalism today. I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?
This might be my English (or google translate from german), but am I missing something?
Also, keep in mind that apart from compromised admin machines, the other 2 attack vectors included vulnerability in linux <=3.7.4 and exim <=4.80. Both of these were fixed in arch long time ago. However, I do expect this rootkit to be added to RKHunter database soonish...
]]>It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html
I am sorry but I do not understand... Should I modify the first post in this thread and change it's content to quote?
I don't think guys from Niebezpiecznik.pl will cause any trouble... They are cool.
Regards.
Andrzej
]]>It could be the mailman at archlinux.org, arch-general, the bbs like in this case, users choice.
What's the Keep-It-Secure-and-Stable (KISS ;-) direction?
Since arch uses vanilla packages, just read lists from http://seclists.org, e.g. bugtraq, I think
]]>Surely the distro can do without a dedicated security mailbox/mailing list. A developer being the first to reply to this thread just proves the point. But I thought earlier that Arch needs a clear statement about a preferred way how to communicate security issues like this. (Did I overread it?) It should consider background noise for the involved of course. And if it includes a disclaimer on the maintainers behalf, that's obviously fine and clear communication as well.
It could be the mailman at archlinux.org, arch-general, the bbs like in this case, users choice.
What's the Keep-It-Secure-and-Stable (KISS ;-) direction?
Still, articles like this really make me question the intelligence of journalism today. I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?
I agree 100%
That was not this thread's fault it was the journalist's fault.
I guess this really just goes back to the reason Arch dose not have a security advisory mailing list. Arch is vanilla so there is no need because upstream already has these mailing lists.
]]>It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html
Boy, I was hesitant about saying anything but if this is happening.... (figured if Allan is cool with it then, okay)
I don't see any reason for this thread to exist on these forms.
This should just be emailed to the full discloser mailing list and leave it at that.
Regards.
Andrzej
]]>