libkeyutils rootkits for RPM based distros?

Steve Meyers steve-plug at
Tue Mar 12 08:30:44 MDT 2013

How was the reporting third party able to check your file system?  That 
seems rather strange.

On 3/12/13 1:20 AM, Gabriel Gunderson wrote:
> Anyone seen this in the wild over the past few weeks?
> This is a letter that was forwarded to me from my ISP:
> """
> US-CERT has received information from a trusted third-party that
> systems within your net range may have been compromised. The mass
> compromise was possibly the result of an SSHD rootkit. The reporting
> party was able to do a quick check for the rootkit by typing the
> following:  find /lib* -name libkeyutils\* -exec strings \{\}  \; ,
> egrep 'connect,socket,inet_ntoa,
> gethostbyname'.  The data may be recorded as SSH login or brute force
> attempts at these IPs.  If there is output, the system is compromised.
> If not, do the checks discussed in [2].  The possible affected IPs are
> listed in the attached document.
> [1]
> [2]
> """
> So, I know a rootkit can hid itself, but:
> 1) I've done a pretty exhaustive review of my system and I haven't
> uncovered *anything* suspicious (log, ports, shared memory,
> timestamps, MD5s, network traffic, processes, lsof, etc.).
> 2) My distro (ClearOS, based on RHEL) issued updates pretty quick on this issue.
> 3) I actually update packages pretty often on this box.
> I haven't setup a bridge or a port mirror to see the network traffic
> from a unrelated bit of harware, but I'll do that soon.
> Anyway, I'm not entirely convinced they've got the right server in this case.
> Any thoughts on how to proceed? BTW, reinstalling this box is no big
> deal, I just don't want to do it without learning something from this.
> Best,
> Gabe
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list