Server Buddies
Server Buddies info@serverbuddies.com Server Management Offline Live Support English
Eng
Server Management
Spanish
Spa
     
Providing Dedicated Server Solutions Just a Click AWAY
Home
Services
Order
Support
News
Contact Us
About Us
server management
Empty
Cpanel Support
Plesk Support
Ensim Support
Webmin Support
Directadmin Support
Empty
We Accept
We accept Visa, Mastercard, Discover and American Express credit cards.
Paypal is also accepted. The email address to use to make PayPal payment to us is:
order@serverbuddies.com
Paypal Accepted Paypal Accepted
2Checkout



Empty
Testimonials
This guys knows their stuff pretty well. They helped me understand where my memory might fall short of my quota on my VPS and they optimized some CONF files that I needed modified for a much more robust server. I highly recommend them.
HW Publishing.
See more reviews
Empty
News

Alert: New SSHD Rootkit/exploit rolling around

02-25-2013

Alert: New SSHD Rootkit Rolling Around

There is a new SSHD rookit rolling around since few days ago, it looks it's affecting mostly RHEL/CentOS servers.

Servers with cPanel, Plesk, VirtualMin and DirectAdmin are affected well.
 
According to a Security Audition in one of the hacked servers we found the Rootkit deposits files in /lib64 and /lib, main file name is libkeyutils.so.1.9.
 
It changes symlinks of /lib64/libkeyutils.so.1 to point to the mentioned lib.
 
We believe this lib is capable of stealing passwords, SSH keys and /etc/shadow files from the server. It's also used as a backdoor to
gain access to the server through a different port, the rootkit will also modify all the authentication mechanisms of the server preventing any login or command history to be logged through this backdoor.

The intruder has full root access which means there is a exploit among with this rootkit capable of root privilege escalation.

You can see if your server is infected by running the following script:

# wget -qq -O - http://www.serverbuddies.com/files/libkeyutilscheck.sh | sh

We highly encourage to submit a 1x Hour of Support if you see the script is showing your server as compromised.

Don't hesitate to contact our Suppor Team for any inquiry you may have!

Remember, we listen to you! Any comments/suggestions should be sent to info@serverbuddies.com.

 
RedHat Support Debian Support Gentoo Linux Support FreeBSD Linux Fedora Support Ubuntu Support CentOS Support SuSe Support
Home | Services | Order | Support | News | About Us | Contact | Site Map | Refund & Privacy Policy | Blog