Hi all,
Some updates about the SSHd Exploit (libkeyutils.so.1.9): The current thinking is that this is a cPanel problem. They have mailed their customer list saying that they've discovered a server in their support department which has been compromised and that anyone who has raised a ticket with them in the last 6 months and allowed cpanel personnel root access to their server is probably also compromised due to credential sniffing. The attackers install a file /lib{,64}/libkeyutils.so.1.9 and then change the /lib{,64}/libkeyutils.so.1 symlink to point to their replacement library instead of the correct version (libkeyutils.so.1.2 on CentOS 5, libkeyutils.so.1.3 on CentOS 6). If you have a cPanel server in your installation and have raised a ticket with them in the last year then it's worth checking all your servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9 should not exist and if it does then the chances are that you have been compromised. Running `rpm -V keyutils-libs` should return no output (meaning that everything verifies OK). Source: https://www.centos.org/modules/newbb/viewtopic.php?topic_id=41606&forum=42 -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx