You are not logged in.

#1 2013-02-20 10:47:18

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Backdoor imitating ssh on RH/Centos boxes

Niebezpiecznik.pl wrote:

Many users have reported that on some servers they have noticed suspicious file: libkeyutils.so.1.9 The only "symptom" so far is the fact that from those servers from time to time spam is being sent but everything indicates that the attackers gained root on the machines and can start using them for any other purpose anytime...

No one knows how the file gets on the server. Some say that right after the file was detected they have "burned the machines to the ground" and got fresh systems installed just to find out that the file was there few minutes later. This might suggest attack from the administrators machine. Infected administrator logs into the remote machine and unwillingly / unknowingly places the backdoor on the remote machine. Logs indicate that the attack is performed automatically.

How to check if You were 'rooted'?

ls -la /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9
ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9

Those files should not exist.

or:

su -c "updatedb" && locate libkeyutils.so.1.9

There should be no output:

[andrzejl@wishmacer ~]$ su -c "updatedb" && locate libkeyutils.so.1.9
Password:
[andrzejl@wishmacer ~]$

Backdoor analysis - is it a 0day attack?

One of the reddit users analyzed the file and found encoded IP in it:

$ ./audit libkeyutils.so.1.9 output
$ strings output |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
78.47.139.110

IP points to domain: RUBOP.COM, which belongs to:

Administrative Contact:
Ibragimov, Sergey pmadison12 at gmail dot com
Polanskay 11
Moskow, Russia 11223

Additionally some users report that some of the backdoored systems during the SSH connection are sending packets to 72.156.139.154 on port 53/UDP (containing users data - plain-text login credentials...)

It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.

Removing the libkeyutils.so.1.9 file from Your server is not really solving anything... Atacker somehow had to access the machine so without knowing the point of entry and patching it You are still vulnerable. There is no confirmed info about which vulnerability attackers are using, is it old - known vulnerability or 0day...

Source: http://niebezpiecznik.pl/post/backdoor- … ls-so-1-9/

Regards.

Andrzej

Last edited by AndrzejL (2013-02-24 19:13:47)


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#2 2013-02-20 10:57:41

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,473
Website

Re: Backdoor imitating ssh on RH/Centos boxes

AndrzejL wrote:
rpm -qf /lib64/libkeyutils.so.1.9

Probably won't work...  tongue

Offline

#3 2013-02-20 11:10:46

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: Backdoor imitating ssh on RH/Centos boxes

Allan wrote:
AndrzejL wrote:
rpm -qf /lib64/libkeyutils.so.1.9

Probably won't work...  tongue

Indeed it won't work on Arch ;D... but I have posted the translation of the original article and wanted to keep it as vanilla as possible + if some of Arch users have rpm based machines - this may be handy as well smile.

Regards.

Andrzej


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#4 2013-02-20 18:33:41

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: Backdoor imitating ssh on RH/Centos boxes

Some more interesting info here and here.

Regards.

Andrzej

Last edited by AndrzejL (2013-02-20 18:38:24)


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#5 2013-02-20 20:44:46

Nisstyre56
Member
From: Canada
Registered: 2010-03-25
Posts: 85

Re: Backdoor imitating ssh on RH/Centos boxes

Is this only taking place on VPSes and shared servers, or dedicated boxes as well? Because if the former is true, then I might suspect (given the fact that there's a wide variety of software people are using) that the service providers themselves have been compromised in some way, or the attackers have figured out how to exploit the virtualization software. There is of course the possibility that this is a problem with their workstation, but apparently some people were using RSA keys (presumably passworded, although I guess that wouldn't matter if there was a keylogger present). Checking to see if it happens after re-installing and using a known clean computer to log in would confirm/disconfirm that theory.


In Zen they say: If something is boring after two minutes, try it for four. If still boring, try it for eight, sixteen, thirty-two, and so on. Eventually one discovers that it's not boring at all but very interesting.
~ John Cage

Offline

#6 2013-02-20 22:51:36

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Backdoor imitating ssh on RH/Centos boxes

AndrzejL wrote:

It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.

If this is true, current installs of archlinux are NOT vulnerable because community/exim has been updated to 4.80.1 on 10/29/2012 (3 days after upstream release). See https://lists.exim.org/lurker/message/2 … 7b.en.html.


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#7 2013-02-21 14:50:56

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: Backdoor imitating ssh on RH/Centos boxes

Some more info and (possibly working) removal instructions are available here.

Regards.

Andrzej


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#8 2013-02-21 19:11:26

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,964
Website

Re: Backdoor imitating ssh on RH/Centos boxes

It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html

Offline

#9 2013-02-22 06:05:49

radopi
Member
Registered: 2013-02-22
Posts: 3

Re: Backdoor imitating ssh on RH/Centos boxes

Today a Whois on the IP says, that the IP is owned by a German Webhoster(Hetzner Online AG).

Offline

#10 2013-02-22 07:00:29

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Backdoor imitating ssh on RH/Centos boxes

Pierre wrote:

It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html

Boy, I was hesitant about saying anything but if this is happening.... (figured if Allan is cool with it then, okay)

I don't see any reason for this thread to exist on these forms.
This should just be emailed to the full discloser mailing list and leave it at that.

Last edited by hunterthomson (2013-02-22 07:02:28)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#11 2013-02-22 07:05:15

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Backdoor imitating ssh on RH/Centos boxes

Still, articles like this really make me question the intelligence of journalism today.  I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?

Offline

#12 2013-02-22 07:59:38

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Backdoor imitating ssh on RH/Centos boxes

WonderWoofy wrote:

Still, articles like this really make me question the intelligence of journalism today.  I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?

I agree 100%

That was not this thread's fault it was the journalist's fault.

I guess this really just goes back to the reason Arch dose not have a security advisory mailing list. Arch is vanilla so there is no need because upstream already has these mailing lists.

Last edited by hunterthomson (2013-02-22 08:01:18)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#13 2013-02-22 10:52:53

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,484

Re: Backdoor imitating ssh on RH/Centos boxes

+1 to the above, but I have a question linked to this:

Surely the distro can do without a dedicated security mailbox/mailing list. A developer being the first to reply to this thread just proves the point. But I thought earlier that Arch needs a clear statement about a preferred way how to communicate security issues like this. (Did I overread it?) It should consider background noise for the involved of course. And if it includes a disclaimer on the maintainers behalf, that's obviously fine and clear communication as well.

It could be the mailman at archlinux.org, arch-general, the bbs like in this case, users choice.
What's the Keep-It-Secure-and-Stable (KISS ;-) direction?

Offline

#14 2013-02-22 11:03:51

progandy
Member
Registered: 2012-05-17
Posts: 5,263

Re: Backdoor imitating ssh on RH/Centos boxes

It could be the mailman at archlinux.org, arch-general, the bbs like in this case, users choice.
What's the Keep-It-Secure-and-Stable (KISS ;-) direction?

Since arch uses vanilla packages, just read lists from http://seclists.org, e.g. bugtraq, I think wink


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#15 2013-02-22 12:55:45

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: Backdoor imitating ssh on RH/Centos boxes

Pierre wrote:

It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html

I am sorry but I do not understand... Should I modify the first post in this thread and change it's content to quote?

I don't think guys from Niebezpiecznik.pl will cause any trouble... They are cool.

Regards.

Andrzej


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#16 2013-02-22 17:16:03

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Backdoor imitating ssh on RH/Centos boxes

WonderWoofy wrote:

Still, articles like this really make me question the intelligence of journalism today.  I don't know how you read a thread like this and come to a conclusion like that... I mean really, WTF?

This might be my English (or google translate from german), but am I missing something? smile

Also, keep in mind that apart from compromised admin machines, the other 2 attack vectors included vulnerability in linux <=3.7.4 and exim <=4.80. Both of these were fixed in arch long time ago. However, I do expect this rootkit to be added to RKHunter database soonish...


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#17 2013-02-23 05:53:04

Cavedude
Member
Registered: 2011-12-21
Posts: 45

Re: Backdoor imitating ssh on RH/Centos boxes

Scary sh*t. That's all I'll say!

Offline

#18 2013-02-23 10:44:53

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,484

Re: Backdoor imitating ssh on RH/Centos boxes

AndrzejL wrote:
Pierre wrote:

It might be better to clearly mark this post as a quote. A german magazine has now posted a news article about Arch servers being hacked and linking to this post: http://www.golem.de/news/sicherheit-key … 97749.html

I am sorry but I do not understand... Should I modify the first post in this thread and change it's content to quote?

You start the thread with "Many users have ..." and I think Pierre suggested that you state the post being a quote right at the beginning too and maybe clarify the term "user" so that it cannot be misinterpreted that _Arch _users  are referred to there. But that it is referred to Linux users or specifically users from that _webhosting_forum_  which you then link/quote from further. 

To be fair to that journalist: he links this thread later as a summary of a "first analysis" when he mentions that specific IP address and a bit bash from your post. However, there is a mention of Arch users reporting being affected earlier in the article (before the link and right before Debian ..) and this might (or might not) have been due a misunderstanding of that "users" term in the post.

Offline

#19 2013-02-24 19:18:40

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: Backdoor imitating ssh on RH/Centos boxes

@ Strike0 - thanks for the clarification and apologies for causing the confusion. Now I understand what the problem / issue was and I have amended the first post - hopefully it's better now. Never tried to imply that ArchLinux users were affected by the backdoor. I should have thought about making it a quote in the first place.

Thanks for pointing it out.

Additional info possibly related to the topic: http://blog.sucuri.net/2013/02/cpanel-i … mised.html

Regards.

Andrzej

Last edited by AndrzejL (2013-02-24 19:19:35)


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#20 2013-02-25 00:06:55

nadir.latif
Member
Registered: 2013-02-24
Posts: 1

Re: Backdoor imitating ssh on RH/Centos boxes

our servers were infected by the libkeyutils virus. some of the servers had this file libkeyutils.so.1.9. other servers that were infected had a libkeyutils.so file with a different version. a cpanel analyst told us to run following command to check for the virus:

strings full_path_of_libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'

just checking for libkeyutils.so.1.9 file alone is not enough to confirm the virus. each libkeyutils.so file must be checked for presence of network related functions. the above command basically checks for networking related functions in the libkeyutils.so file. these functions are not present in the default libkeyutils.so file and can be used for spamming, allowing ssh access etc.the command "strings" can be found in binutils package. the following command can be used to locate all libkeyutils.so files:

locate libkeyutils.so

Last edited by nadir.latif (2013-02-25 07:24:37)

Offline

#21 2013-02-25 09:02:32

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: Backdoor imitating ssh on RH/Centos boxes

nadir.latif wrote:

our servers were infected by the libkeyutils virus. some of the servers had this file libkeyutils.so.1.9. other servers that were infected had a libkeyutils.so file with a different version. a cpanel analyst told us to run following command to check for the virus:

strings full_path_of_libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'

just checking for libkeyutils.so.1.9 file alone is not enough to confirm the virus. each libkeyutils.so file must be checked for presence of network related functions. the above command basically checks for networking related functions in the libkeyutils.so file. these functions are not present in the default libkeyutils.so file and can be used for spamming, allowing ssh access etc.the command "strings" can be found in binutils package. the following command can be used to locate all libkeyutils.so files:

locate libkeyutils.so

Thanks for the info nadir.latif.

Terminal Output wrote:

[root@wishmacer andrzejl]# updatedb
[root@wishmacer andrzejl]# locate libkeyutils.so
/usr/lib/libkeyutils.so
/usr/lib/libkeyutils.so.1
/usr/lib/libkeyutils.so.1.4
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so.1 | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]# strings /usr/lib/libkeyutils.so.1.4 | egrep 'connect|socket|gethostbyname|inet_ntoa'
[root@wishmacer andrzejl]#

It seems that I am fine...

Regards.

Andrzej

Last edited by AndrzejL (2013-02-25 09:03:16)


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

Board footer

Powered by FluxBB