mv /lib64/libkeyutils.so.1.9 /root
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory
[FAILED]
How do I remove it from SSHD?
Need to fix this: http://www.webhostingtalk.com/showpost.php?p=8548338&postcount=4
REF about this exploit now that I've heard about it: http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
They are not logging in with root, nor are they even spawning a bash process. If the lib is moved out, and sshd is restarted they cannot login anymore fwiw.
The key is finding out how they are getting in. Fully upgraded, ssh key restricted sshd, on non-standard ports are being compromised. None of my customers are, but I have been getting alot of sales inquiries with this issue so I don't know the full history of the machines.
[/lib64]# rpm -vV openssh
......... /etc/ssh
......... c /etc/ssh/moduli
......... /usr/bin/ssh-keygen
......... /usr/libexec/openssh
......... /usr/libexec/openssh/ssh-keysign
......... /usr/share/doc/openssh-5.3p1
......... d /usr/share/doc/openssh-5.3p1/CREDITS
......... d /usr/share/doc/openssh-5.3p1/ChangeLog
......... d /usr/share/doc/openssh-5.3p1/INSTALL
......... d /usr/share/doc/openssh-5.3p1/LICENCE
......... d /usr/share/doc/openssh-5.3p1/OVERVIEW
......... d /usr/share/doc/openssh-5.3p1/PROTOCOL
......... d /usr/share/doc/openssh-5.3p1/PROTOCOL.agent
......... d /usr/share/doc/openssh-5.3p1/README
......... d /usr/share/doc/openssh-5.3p1/README.dns
......... d /usr/share/doc/openssh-5.3p1/README.nss
......... d /usr/share/doc/openssh-5.3p1/README.platform
......... d /usr/share/doc/openssh-5.3p1/README.privsep
......... d /usr/share/doc/openssh-5.3p1/README.smartcard
......... d /usr/share/doc/openssh-5.3p1/README.tun
......... d /usr/share/doc/openssh-5.3p1/TODO
......... d /usr/share/doc/openssh-5.3p1/WARNING.RNG
......... d /usr/share/man/man1/ssh-keygen.1.gz
......... d /usr/share/man/man8/ssh-keysign.8.gz
[/lib64]# rpm -vV openssh-clients
S.5....T. c /etc/ssh/ssh_config
......... /usr/bin/.ssh.hmac
......... /usr/bin/scp
......... /usr/bin/sftp
......... /usr/bin/slogin
......... /usr/bin/ssh
......... /usr/bin/ssh-add
......... /usr/bin/ssh-agent
......... /usr/bin/ssh-copy-id
......... /usr/bin/ssh-keyscan
......... d /usr/share/man/man1/scp.1.gz
......... d /usr/share/man/man1/sftp.1.gz
......... d /usr/share/man/man1/slogin.1.gz
......... d /usr/share/man/man1/ssh-add.1.gz
......... d /usr/share/man/man1/ssh-agent.1.gz
......... d /usr/share/man/man1/ssh-copy-id.1.gz
......... d /usr/share/man/man1/ssh-keyscan.1.gz
......... d /usr/share/man/man1/ssh.1.gz
......... d /usr/share/man/man5/ssh_config.5.gz
[/lib64]# rpm -vV openssh-server
.......T. c /etc/pam.d/ssh-keycat
S.5....T. c /etc/pam.d/sshd
......... /etc/rc.d/init.d/sshd
S.5....T. c /etc/ssh/sshd_config
......... c /etc/sysconfig/sshd
......... /usr/libexec/openssh/sftp-server
......... /usr/libexec/openssh/ssh-keycat
......... /usr/sbin/.sshd.hmac
......... /usr/sbin/sshd
......... /usr/share/doc/openssh-server-5.3p1
......... d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
......... d /usr/share/man/man5/moduli.5.gz
......... d /usr/share/man/man5/sshd_config.5.gz
......... d /usr/share/man/man8/sftp-server.8.gz
......... d /usr/share/man/man8/sshd.8.gz
......... /var/empty/sshd
and
[/lib64]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
[/lib64]# rpm -vV keyutils-libs
....L.... /lib64/libkeyutils.so.1
......... /lib64/libkeyutils.so.1.3
......... /usr/share/doc/keyutils-libs-1.4
......... d /usr/share/doc/keyutils-libs-1.4/LICENCE.LGPL
