libkeyutils rootkits for RPM based distros?

Steve Meyers steve-plug at spwiz.com
Tue Mar 12 08:30:44 MDT 2013


How was the reporting third party able to check your file system?  That 
seems rather strange.

On 3/12/13 1:20 AM, Gabriel Gunderson wrote:
> Anyone seen this in the wild over the past few weeks?
>
> This is a letter that was forwarded to me from my ISP:
>
> """
> US-CERT has received information from a trusted third-party that
> systems within your net range may have been compromised. The mass
> compromise was possibly the result of an SSHD rootkit. The reporting
> party was able to do a quick check for the rootkit by typing the
> following:  find /lib* -name libkeyutils\* -exec strings \{\}  \; ,
> egrep 'connect,socket,inet_ntoa,
> gethostbyname'.  The data may be recorded as SSH login or brute force
> attempts at these IPs.  If there is output, the system is compromised.
> If not, do the checks discussed in [2].  The possible affected IPs are
> listed in the attached document.
>
> [1] http://www.webhostingtalk.com/showthread.php?t=1235797
> [2] http://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
> """
>
> So, I know a rootkit can hid itself, but:
>
> 1) I've done a pretty exhaustive review of my system and I haven't
> uncovered *anything* suspicious (log, ports, shared memory,
> timestamps, MD5s, network traffic, processes, lsof, etc.).
> 2) My distro (ClearOS, based on RHEL) issued updates pretty quick on this issue.
> 3) I actually update packages pretty often on this box.
>
> I haven't setup a bridge or a port mirror to see the network traffic
> from a unrelated bit of harware, but I'll do that soon.
>
> Anyway, I'm not entirely convinced they've got the right server in this case.
>
> Any thoughts on how to proceed? BTW, reinstalling this box is no big
> deal, I just don't want to do it without learning something from this.
>
>
> Best,
> Gabe
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list