libkeyutils rootkits for RPM based distros?

Gabriel Gunderson gabe at
Tue Mar 12 01:20:59 MDT 2013

Anyone seen this in the wild over the past few weeks?

This is a letter that was forwarded to me from my ISP:

US-CERT has received information from a trusted third-party that
systems within your net range may have been compromised. The mass
compromise was possibly the result of an SSHD rootkit. The reporting
party was able to do a quick check for the rootkit by typing the
following:  find /lib* -name libkeyutils\* -exec strings \{\}  \; ,
egrep 'connect,socket,inet_ntoa,
gethostbyname'.  The data may be recorded as SSH login or brute force
attempts at these IPs.  If there is output, the system is compromised.
If not, do the checks discussed in [2].  The possible affected IPs are
listed in the attached document.


So, I know a rootkit can hid itself, but:

1) I've done a pretty exhaustive review of my system and I haven't
uncovered *anything* suspicious (log, ports, shared memory,
timestamps, MD5s, network traffic, processes, lsof, etc.).
2) My distro (ClearOS, based on RHEL) issued updates pretty quick on this issue.
3) I actually update packages pretty often on this box.

I haven't setup a bridge or a port mirror to see the network traffic
from a unrelated bit of harware, but I'll do that soon.

Anyway, I'm not entirely convinced they've got the right server in this case.

Any thoughts on how to proceed? BTW, reinstalling this box is no big
deal, I just don't want to do it without learning something from this.


More information about the PLUG mailing list