We are currently still tracing this exploit and here is what we do know so far:
HOW TO FIND OUT IF YOU HAVE BEEN ROOTED:
ls -la /lib64/libkeyutils.so.1.9 rpm -qf /lib64/libkeyutils.so.1.9
ls -la /lib/libkeyutils.so.1.9 rpm -qf /lib/libkeyutils.so.1.9
If you find the file and RPM shows “is not owned by any package” you have been rooted.
Currently known affected OSes: RHEL-based servers
Currently known effected control panels: cPanel, DirectAdmin, and Plesk
Servers with ksplice have been exploited.
WHAT WE KNOW:
-
I have scoured over CVE’s for the linux kernel up to the latest 3.x version and I didn’t see anything relevant that would cause it in the centos kernels.
-
SSHDs running non normal ports compromised.
-
We think it is some daemon exploit and not a privileged escalation via kernel. Given that some boxes running CageFS were exploited — if exploit would be delivered via end user account, /lib & /lib64 wouldn’t be available to attacker (it would be a copy of those directories instead). So, unless hacker explicitly made a work around to deal with CageFS (which probably possible with ptrace kernel exploit, but highly unlikely), that library would never make it to /lib & /lib64.
-
The data send to that port 53 connection is not a normal DNS packet as far as I can tell.
-
Servers with the latest centos/cloudlinux have been compromised. Both versions 5 and 6.
-
The earliest server I have seen exploited was Late December.
-
The strings are different and changing for the LIB libkeyutils.so.1.9. One was reported to not have the external 53 port call compiled in it.
-
The connections are not typically logged in /var/log/secure UNLESS you raise the log level to verbose. I originally found the connections using lsof, also how I tracked down the outbound smtp connections.
-
When you strace sshd, and login to the server normally there is a outbound port 53 connection to an IP address that is not in /etc/resolv.conf.
INTIAL FINDINGS:
root@server [~]# rpm -qf `lsof -p 785953 | grep lib | awk ‘{print $9}’` glibc-2.12-1.80.el6_3.7.x86_64 nspr-4.9.2-0.el6_3.1.x86_64 nspr-4.9.2-0.el6_3.1.x86_64 nspr-4.9.2-0.el6_3.1.x86_64 nss-util-3.13.6-1.el6_3.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 file /lib64/libkeyutils.so.1.9 is not owned by any package krb5-libs-1.9-33.el6_3.3.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 nss-3.13.5-1.el6_3.x86_64 libcom_err-1.41.12-12.el6.x86_64 krb5-libs-1.9-33.el6_3.3.x86_64 krb5-libs-1.9-33.el6_3.3.x86_64 krb5-libs-1.9-33.el6_3.3.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 zlib-1.2.3-27.el6.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 openssl-1.0.0-25.el6_3.1.x86_64 libselinux-2.0.94-5.3.el6.x86_64 glibc-2.12-1.80.el6_3.7.x86_64 pam-1.1.1-10.el6_2.1.x86_64 audit-libs-2.2-2.el6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64 fipscheck-lib-1.2.0-7.el6.x86_64 glibc-2.12-1.80.el6_3.7.x86_64
EXPLOITED FILE CONTAIN:
the malicious library contains networking related code:
[root@server1 ~]# strings libkeyutils.so.1.9 | egrep 'connect|socket|inet_ntoa|gethostbyname'
gethostbyname
socket
inet_ntoa
connect
CLEAN FILE:
whereas the original lib does not:
[root@server1 ~]# strings libkeyutils-1.2.so | egrep 'connect|socket|inet_ntoa|gethostbyname'
[root@host ~]
SEEN LOGGED:
Feb 18 07:28:03 server1 snoopy[20446]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def
Feb 18 07:28:03 server1 snoopy[20448]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron
Feb 18 07:28:03 server1 snoopy[20449]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -i Feb 18 07
Feb 18 07:28:04 server1 snoopy[20452]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron
Feb 18 07:28:04 server1 snoopy[20453]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi Feb 18 07
Feb 18 07:28:04 server1 snoopy[20454]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/cron
Feb 18 07:28:04 server1 snoopy[20455]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep Feb 18 07
Feb 18 07:28:05 server1 snoopy[20469]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def
Feb 18 07:28:05 server1 snoopy[20471]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /var/log/notify.log
Feb 18 07:28:05 server1 snoopy[20472]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/egrep]: egrep -vi 46.105.20.166|46.105.20.166
Feb 18 07:28:05 server1 snoopy[20473]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /home/tmpp/q3def
Feb 18 07:28:05 server1 snoopy[20474]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/rm]: rm -f /home/tmpp/q3def
Feb 18 07:28:05 server1 snoopy[20477]: [uid:0 sid:20392 tty: cwd:/root filename:/usr/bin/ssh]: ssh -G1 -V
Feb 18 07:28:05 server1 snoopy[20478]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep illegal
Feb 18 07:28:05 server1 snoopy[21505]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/cat]: cat /etc/redhat-release
Feb 18 07:28:05 server1 snoopy[21509]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -i UseLogin /etc/ssh/sshd_config
Feb 18 07:28:05 server1 snoopy[21510]: [uid:0 sid:20392 tty: cwd:/root filename:/bin/grep]: grep -v ^#
Feb 18 07:28:06 server1 snoopy[21517]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chown]: chown root:root libzz8d70
Feb 18 07:28:06 server1 snoopy[21518]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/chmod]: chmod 755 libzz8d70
Feb 18 07:28:06 server1 snoopy[21519]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libzz8d70 libkeyutils.so.1.9
Feb 18 07:28:06 server1 snoopy[21520]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/ln]: ln -s libkeyutils.so.1.9 libkeyutils.so.n
Feb 18 07:28:06 server1 snoopy[21521]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/mv]: mv libkeyutils.so.n libkeyutils.so.1
Feb 18 07:28:06 server1 snoopy[21522]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/touch]: touch -c -r libkeyutils-1.2.so libkeyutils.so.1.9
Feb 18 07:28:06 server1 snoopy[21524]: [uid:0 sid:20392 tty: cwd:/lib filename:/usr/bin/ldd]: ldd /usr/sbin/sshd
Feb 18 07:28:06 server1 snoopy[21525]: [uid:0 sid:20392 tty: cwd:/lib filename:/lib/ld-linux.so.2]: /lib/ld-linux.so.2 --verify /usr/sbin/sshd
Feb 18 07:28:06 server1 snoopy[21527]: [uid:0 sid:20392 tty: cwd:/lib filename:/lib/ld-linux.so.2]: /lib/ld-linux.so.2 /usr/sbin/sshd
Feb 18 07:28:06 server1 snoopy[21528]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/cat]: cat
Feb 18 07:28:06 server1 snoopy[21529]: [uid:0 sid:20392 tty: cwd:/lib filename:/usr/sbin/sshd]: /usr/sbin/sshd -t
Feb 18 07:28:06 server1 snoopy[21531]: [uid:0 sid:20392 tty: cwd:/lib filename:/sbin/restorecon]: restorecon -F /lib/libkeyutils-1.2.so /lib/libkeyutils.so.1 /lib/libkeyutils.so.1.9
Feb 18 07:28:06 server1 snoopy[21532]: [uid:0 sid:20392 tty: cwd:/lib filename:/bin/touch]: touch -c -r libkeyutils-1.2.so libkeyutils.so.1
root@server1 [/var/log]# ls -ld /lib/libkeyutils
libkeyutils-1.2.so libkeyutils.so.1 libkeyutils.so.1.9
root@server1 [/var/log]# ls -ld /lib/libkeyutils
root@server1 [/var/log]# ls -ld /lib/libkeyutils.so.1.9
-rwxr-xr-x 1 root root 26904 Jan 6 2007 /lib/libkeyutils.so.1.9*
root@server1 [/var/log]# stat /lib/libkeyutils.so.1.9
File: `/lib/libkeyutils.so.1.9'
Size: 26904 Blocks: 56 IO Block: 4096 regular file
Device: 6ah/106d Inode: 357728408 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2013-02-18 07:28:21.000000000 -0500
Modify: 2007-01-06 02:57:38.000000000 -0500
Change: 2013-02-18 07:28:06.000000000 -0500
Refe:::http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
Refe:::http://www.webhostingtalk.com/showthread.php?t=1235797
0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9