So is it confirmed that if we don't run cPanel we can turn SSH back on and start breathing again?
Thank you very much for your research and messages. ----- Original Message ----- From: "Michael Stauber" <mstau...@blueonyx.it> To: "BlueOnyx General Mailing List" <blueonyx@mail.blueonyx.it> Sent: Monday, February 25, 2013 7:40 PM Subject: [BlueOnyx:12297] Re: SSHd Exploit (libkeyutils.so.1.9) > Hi all, > > > Some updates about the SSHd Exploit (libkeyutils.so.1.9): > > The current thinking is that this is a cPanel problem. They have mailed > their customer list saying that they've discovered a server in their > support department which has been compromised and that anyone who has > raised a ticket with them in the last 6 months and allowed cpanel > personnel root access to their server is probably also compromised due > to credential sniffing. The attackers install a file > /lib{,64}/libkeyutils.so.1.9 and then change the > /lib{,64}/libkeyutils.so.1 symlink to point to their replacement library > instead of the correct version (libkeyutils.so.1.2 on CentOS 5, > libkeyutils.so.1.3 on CentOS 6). > > If you have a cPanel server in your installation and have raised a > ticket with them in the last year then it's worth checking all your > servers for traces of compromise. The file /lib{,64}/libkeyutils.so.1.9 > should not exist and if it does then the chances are that you have been > compromised. Running `rpm -V keyutils-libs` should return no output > (meaning that everything verifies OK). > > Source: > https://www.centos.org/modules/newbb/viewtopic.php?topic_id=41606&forum=42 > > -- > With best regards > > Michael Stauber > _______________________________________________ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx