The new memory-corruption vulnerability, allows unprivileged users to crash or execute malicious code on vulnerable systems and gain root privileges. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device.
While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers so an upgrade is mandatory.
This issue affects the versions of the Linux kernel packages as shipped with Red Hat Enterprise Linux / CentOS 6 prior to version kernel-2.6.32-358.6.2.el6
If you would like to have this vulerability patched or ensure your server is not affected, please purchase a 1x Hour of Support plan.
Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!.
There is a new SSHD rookit rolling around since few days ago, it looks it’s affecting mostly RHEL/CentOS servers.
Servers with cPanel, Plesk, VirtualMin and DirectAdmin are affected well.
According to a Security Audition in one of the hacked servers we found the Rootkit deposits files in /lib64 and /lib, main file name is libkeyutils.so.1.9.
It changes symlinks of /lib64/libkeyutils.so.1 to point to the mentioned lib.
We believe this lib is capable of stealing passwords, SSH keys and /etc/shadow files from the server. It’s also used as a backdoor to
gain access to the server through a different port, the rootkit will also modify all the authentication mechanisms of the server preventing any login or command history to be logged through this backdoor.
The intruder has full root access which means there is a exploit among with this rootkit capable of root privilege escalation.
You can see if your server is infected by running the following script:
# wget -qq -O - http://www.serverbuddies.com/files/libkeyutilscheck.sh | sh
We highly encourage our customers to submit a 1x Hour of Support if you see the script is showing your server as compromised.
Don’t hesitate to contact our Support Team for any inquiry you may have!
