libkeyutils rootkits for RPM based distros?

Steve Alligood steve at
Tue Mar 12 11:53:17 MDT 2013

I am not sure how they are triggering for that email; I got one for a customer we no longer have, and it had taken Cirt over three months to send it out (based on how long they had not been a customer).

I do know it has been a common root kit lately (as seen in that webhostingtalk thread below), and a lot of cpanel customers were getting compromised with it.

** (spoiler alert if you want to read that entire thread) **

Seems cpanel support make people give them root access to login and fix things for their customers, and rumor is that one of their support personnel was running an infected windows with a key logger.  Whomever was getting the passwords was then installing this root kit.

Aka, never give anyone root access on your servers, and if you have to violate that rule, give them a key that you can revoke.

On Mar 12, 2013, at 1:20 AM, Gabriel Gunderson wrote:

> Anyone seen this in the wild over the past few weeks?
> This is a letter that was forwarded to me from my ISP:
> """
> US-CERT has received information from a trusted third-party that
> systems within your net range may have been compromised. The mass
> compromise was possibly the result of an SSHD rootkit. The reporting
> party was able to do a quick check for the rootkit by typing the
> following:  find /lib* -name libkeyutils\* -exec strings \{\}  \; ,
> egrep 'connect,socket,inet_ntoa,
> gethostbyname'.  The data may be recorded as SSH login or brute force
> attempts at these IPs.  If there is output, the system is compromised.
> If not, do the checks discussed in [2].  The possible affected IPs are
> listed in the attached document.
> [1]
> [2]
> """
> So, I know a rootkit can hid itself, but:
> 1) I've done a pretty exhaustive review of my system and I haven't
> uncovered *anything* suspicious (log, ports, shared memory,
> timestamps, MD5s, network traffic, processes, lsof, etc.).
> 2) My distro (ClearOS, based on RHEL) issued updates pretty quick on this issue.
> 3) I actually update packages pretty often on this box.
> I haven't setup a bridge or a port mirror to see the network traffic
> from a unrelated bit of harware, but I'll do that soon.
> Anyway, I'm not entirely convinced they've got the right server in this case.
> Any thoughts on how to proceed? BTW, reinstalling this box is no big
> deal, I just don't want to do it without learning something from this.
> Best,
> Gabe
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4808 bytes
Desc: not available
Url : 

More information about the PLUG mailing list