Backdoor imitating ssh on RH/Centos boxes

AndrzejL · 2013-02-20 10:47:18

Niebezpiecznik.pl wrote:

Many users have reported that on some servers they have noticed suspicious file: libkeyutils.so.1.9 The only "symptom" so far is the fact that from those servers from time to time spam is being sent but everything indicates that the attackers gained root on the machines and can start using them for any other purpose anytime...
No one knows how the file gets on the server. Some say that right after the file was detected they have "burned the machines to the ground" and got fresh systems installed just to find out that the file was there few minutes later. This might suggest attack from the administrators machine. Infected administrator logs into the remote machine and unwillingly / unknowingly places the backdoor on the remote machine. Logs indicate that the attack is performed automatically.
How to check if You were 'rooted'?
ls -la /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9
ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9
Those files should not exist.
or:
su -c "updatedb" && locate libkeyutils.so.1.9
There should be no output:
[andrzejl@wishmacer ~]$ su -c "updatedb" && locate libkeyutils.so.1.9
Password:
[andrzejl@wishmacer ~]$
Backdoor analysis - is it a 0day attack?
One of the reddit users analyzed the file and found encoded IP in it:
$ ./audit libkeyutils.so.1.9 output
$ strings output |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
78.47.139.110
IP points to domain: RUBOP.COM, which belongs to:
Administrative Contact:
Ibragimov, Sergey pmadison12 at gmail dot com
Polanskay 11
Moskow, Russia 11223
Additionally some users report that some of the backdoored systems during the SSH connection are sending packets to 72.156.139.154 on port 53/UDP (containing users data - plain-text login credentials...)
It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.
Removing the libkeyutils.so.1.9 file from Your server is not really solving anything... Atacker somehow had to access the machine so without knowing the point of entry and patching it You are still vulnerable. There is no confirmed info about which vulnerability attackers are using, is it old - known vulnerability or 0day...

Source: http://niebezpiecznik.pl/post/backdoor- … ls-so-1-9/

Regards.

Andrzej

Last edited by AndrzejL (2013-02-24 19:13:47)

Allan · 2013-02-20 10:57:41

AndrzejL wrote:

rpm -qf /lib64/libkeyutils.so.1.9

Probably won't work...

AndrzejL · 2013-02-20 11:10:46

Allan wrote:

AndrzejL wrote:
rpm -qf /lib64/libkeyutils.so.1.9
Probably won't work...

Indeed it won't work on Arch ;D... but I have posted the translation of the original article and wanted to keep it as vanilla as possible + if some of Arch users have rpm based machines - this may be handy as well .

Regards.

Andrzej

AndrzejL · 2013-02-20 18:33:41

Some more interesting info here and here.

Regards.

Andrzej

Last edited by AndrzejL (2013-02-20 18:38:24)

Nisstyre56 · 2013-02-20 20:44:46

Is this only taking place on VPSes and shared servers, or dedicated boxes as well? Because if the former is true, then I might suspect (given the fact that there's a wide variety of software people are using) that the service providers themselves have been compromised in some way, or the attackers have figured out how to exploit the virtualization software. There is of course the possibility that this is a problem with their workstation, but apparently some people were using RSA keys (presumably passworded, although I guess that wouldn't matter if there was a keylogger present). Checking to see if it happens after re-installing and using a known clean computer to log in would confirm/disconfirm that theory.

Leonid.I · 2013-02-20 22:51:36

AndrzejL wrote:

It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.

If this is true, current installs of archlinux are NOT vulnerable because community/exim has been updated to 4.80.1 on 10/29/2012 (3 days after upstream release). See https://lists.exim.org/lurker/message/2 … 7b.en.html.

AndrzejL · 2013-02-21 14:50:56

Some more info and (possibly working) removal instructions are available here.

Regards.

Andrzej

Pierre · 2013-02-21 19:11:26

It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html

radopi · 2013-02-22 06:05:49

Today a Whois on the IP says, that the IP is owned by a German Webhoster(Hetzner Online AG).

hunterthomson · 2013-02-22 07:00:29

Pierre wrote:

It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html

Boy, I was hesitant about saying anything but if this is happening.... (figured if Allan is cool with it then, okay)

I don't see any reason for this thread to exist on these forms.
This should just be emailed to the full discloser mailing list and leave it at that.

Last edited by hunterthomson (2013-02-22 07:02:28)

WonderWoofy · 2013-02-22 07:05:15

Still, articles like this really make me question the intelligence of journalism today. I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?

hunterthomson · 2013-02-22 07:59:38

WonderWoofy wrote:

Still, articles like this really make me question the intelligence of journalism today. I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?

I agree 100%

That was not this thread's fault it was the journalist's fault.

I guess this really just goes back to the reason Arch dose not have a security advisory mailing list. Arch is vanilla so there is no need because upstream already has these mailing lists.

Last edited by hunterthomson (2013-02-22 08:01:18)

Strike0 · 2013-02-22 10:52:53

+1 to the above, but I have a question linked to this:

Surely the distro can do without a dedicated security mailbox/mailing list. A developer being the first to reply to this thread just proves the point. But I thought earlier that Arch needs a clear statement about a preferred way how to communicate security issues like this. (Did I overread it?) It should consider background noise for the involved of course. And if it includes a disclaimer on the maintainers behalf, that's obviously fine and clear communication as well.

It could be the mailman at archlinux.org, arch-general, the bbs like in this case, users choice.
What's the Keep-It-Secure-and-Stable (KISS ;-) direction?

progandy · 2013-02-22 11:03:51

It could be the mailman at archlinux.org, arch-general, the bbs like in this case, users choice.
What's the Keep-It-Secure-and-Stable (KISS ;-) direction?

Since arch uses vanilla packages, just read lists from http://seclists.org, e.g. bugtraq, I think

AndrzejL · 2013-02-22 12:55:45

Pierre wrote:

It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html

I am sorry but I do not understand... Should I modify the first post in this thread and change it's content to quote?

I don't think guys from Niebezpiecznik.pl will cause any trouble... They are cool.

Regards.

Andrzej

Leonid.I · 2013-02-22 17:16:03

WonderWoofy wrote:

Still, articles like this really make me question the intelligence of journalism today. I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?

This might be my English (or google translate from german), but am I missing something?

Also, keep in mind that apart from compromised admin machines, the other 2 attack vectors included vulnerability in linux <=3.7.4 and exim <=4.80. Both of these were fixed in arch long time ago. However, I do expect this rootkit to be added to RKHunter database soonish...

Cavedude · 2013-02-23 05:53:04

Scary sh*t. That's all I'll say!

Strike0 · 2013-02-23 10:44:53

AndrzejL wrote:

Pierre wrote:
It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html
I am sorry but I do not understand... Should I modify the first post in this thread and change it's content to quote?

You start the thread with "Many users have ..." and I think Pierre suggested that you state the post being a quote right at the beginning too and maybe clarify the term "user" so that it cannot be misinterpreted that _Arch _users are referred to there. But that it is referred to Linux users or specifically users from that _webhosting_forum_ which you then link/quote from further.

To be fair to that journalist: he links this thread later as a summary of a "first analysis" when he mentions that specific IP address and a bit bash from your post. However, there is a mention of Arch users reporting being affected earlier in the article (before the link and right before Debian ..) and this might (or might not) have been due a misunderstanding of that "users" term in the post.

AndrzejL · 2013-02-24 19:18:40

@ Strike0 - thanks for the clarification and apologies for causing the confusion. Now I understand what the problem / issue was and I have amended the first post - hopefully it's better now. Never tried to imply that ArchLinux users were affected by the backdoor. I should have thought about making it a quote in the first place.

Thanks for pointing it out.

Additional info possibly related to the topic: http://blog.sucuri.net/2013/02/cpanel-i … mised.html

Regards.

Andrzej

Last edited by AndrzejL (2013-02-24 19:19:35)

nadir.latif · 2013-02-25 00:06:55

our servers were infected by the libkeyutils virus. some of the servers had this file libkeyutils.so.1.9. other servers that were infected had a libkeyutils.so file with a different version. a cpanel analyst told us to run following command to check for the virus:

strings full_path_of_libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'

just checking for libkeyutils.so.1.9 file alone is not enough to confirm the virus. each libkeyutils.so file must be checked for presence of network related functions. the above command basically checks for networking related functions in the libkeyutils.so file. these functions are not present in the default libkeyutils.so file and can be used for spamming, allowing ssh access etc.the command "strings" can be found in binutils package. the following command can be used to locate all libkeyutils.so files:

locate libkeyutils.so

Last edited by nadir.latif (2013-02-25 07:24:37)

AndrzejL · 2013-02-25 09:02:32

nadir.latif wrote:

our servers were infected by the libkeyutils virus. some of the servers had this file libkeyutils.so.1.9. other servers that were infected had a libkeyutils.so file with a different version. a cpanel analyst told us to run following command to check for the virus:
strings full_path_of_libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'
just checking for libkeyutils.so.1.9 file alone is not enough to confirm the virus. each libkeyutils.so file must be checked for presence of network related functions. the above command basically checks for networking related functions in the libkeyutils.so file. these functions are not present in the default libkeyutils.so file and can be used for spamming, allowing ssh access etc.the command "strings" can be found in binutils package. the following command can be used to locate all libkeyutils.so files:
locate libkeyutils.so

Thanks for the info nadir.latif.

Terminal Output wrote:

[root@wishmacer andrzejl]# updatedb
[root@wishmacer andrzejl]# locate libkeyutils.so
/usr/lib/libkeyutils.so
/usr/lib/libkeyutils.so.1
/usr/lib/libkeyutils.so.1.4
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so.1 | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so.1.4 | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]#

It seems that I am fine...

Regards.

Andrzej

Last edited by AndrzejL (2013-02-25 09:03:16)

Arch Linux

#1 2013-02-20 10:47:18

Backdoor imitating ssh on RH/Centos boxes

#2 2013-02-20 10:57:41

Re: Backdoor imitating ssh on RH/Centos boxes

#3 2013-02-20 11:10:46

Re: Backdoor imitating ssh on RH/Centos boxes

#4 2013-02-20 18:33:41

Re: Backdoor imitating ssh on RH/Centos boxes

#5 2013-02-20 20:44:46

Re: Backdoor imitating ssh on RH/Centos boxes

#6 2013-02-20 22:51:36

Re: Backdoor imitating ssh on RH/Centos boxes

#7 2013-02-21 14:50:56

Re: Backdoor imitating ssh on RH/Centos boxes

#8 2013-02-21 19:11:26

Re: Backdoor imitating ssh on RH/Centos boxes

#9 2013-02-22 06:05:49

Re: Backdoor imitating ssh on RH/Centos boxes

#10 2013-02-22 07:00:29

Re: Backdoor imitating ssh on RH/Centos boxes

#11 2013-02-22 07:05:15

Re: Backdoor imitating ssh on RH/Centos boxes

#12 2013-02-22 07:59:38

Re: Backdoor imitating ssh on RH/Centos boxes

#13 2013-02-22 10:52:53

Re: Backdoor imitating ssh on RH/Centos boxes

#14 2013-02-22 11:03:51

Re: Backdoor imitating ssh on RH/Centos boxes

#15 2013-02-22 12:55:45

Re: Backdoor imitating ssh on RH/Centos boxes

#16 2013-02-22 17:16:03

Re: Backdoor imitating ssh on RH/Centos boxes

#17 2013-02-23 05:53:04

Re: Backdoor imitating ssh on RH/Centos boxes

#18 2013-02-23 10:44:53

Re: Backdoor imitating ssh on RH/Centos boxes

#19 2013-02-24 19:18:40

Re: Backdoor imitating ssh on RH/Centos boxes

#20 2013-02-25 00:06:55

Re: Backdoor imitating ssh on RH/Centos boxes

#21 2013-02-25 09:02:32

Re: Backdoor imitating ssh on RH/Centos boxes

Board footer