Interesting SSHD Exploit

SneakyDave · 02-21-2013, 11:04 AM

For those running their own servers. Appears to possibly be related to a keylogger installed via the java exploit bug.

Look for the existence of a /lib64/libkeyutils.so.1.9 (64 bit) or /lib/libkeyutils.so.1.9 (32 bit) file, and if you have it, you're probably infected.

Script to check for the vulnerability... (be careful not to run unknown scripts as root though!)

http://www.cloudlinux.com/blog/clnews/sshd-exploit.php

More discussion...
http://www.webhostingtalk.com/showthread.php?t=1235797

**Kevin** · 02-21-2013, 12:16 PM

I had heard of this problem but I hadn't seen that cloudlinux.com link yet.

I got a good laugh at the idea of running:

Code:

wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash

to determine if you have been infected. That sounds like a really good way to get infected with something to me

But I was curious so I did it without the |bash part which means I just got their script dumped to my screen without it doing anything. Then I got another laugh that their script considered infection found to be a success and infection not found to be a failure.

SneakyDave · 02-21-2013, 01:57 PM

Right, I thought the same thing. Their description was informative, but I wouldn't just go running a wget to execute an unknown script as root