Checking for SSHD Rootkit hack

Since the past few days the SSHD Rootkit issue has caused havoc amongst server admins. It is still unknown how the attackers manage to get root access to the servers and modify the keyutils-libs package. This has been affecting mainly 64 bit Operating Systems with control panels like cPanel, Direct Admin, Plesk, Webuzo, etc.

We recommend every server admin to check whether your server has been affected. To do so please type the following command :
root> ls -la /lib*/libkey*
If the list displays any of the following files, your server may be compromised :

  • libkeyutils.so.1.9
  • libkeyutils.so.1.3.2
  • libkeyutils-1.2.so.2

The symlink of /lib64/libkeyutils.so.1 will be pointing to one of the above files instead of the following correct ones e.g. libkeyutils-1.2.so

In order to remove this, you will need to do the following :
1) Remove the wrong file which is there on your system, e.g.
root> rm -rf /lib64/libkeyutils-1.2.so.2

2) Remove the symlink as well, e.g.
root> rm -rf /lib64/libkeyutils.so.1

3) Make a symlink to the correct file :
root> ln -s /lib64/libkeyutils-1.2.so /lib64/libkeyutils.so.1

Then restart the system. Restarting the services will do no good. So please restart the system.

Though there is a possibility of the server being re-infected I have personally found from more than 20 servers I manage, that servers with NON-STANDARD SSH ports were not infected.
Hence please do change the SSH port for your servers safety.

Talk back: Have you noticed the SSHD rootkit on your servers? What have you done to clean up your infected servers? Please do share with everyone.

Leave a Reply