SSHD rootkit in the wild

ComputerSaysNo · Feb 23, 2013

There are a lot of discussions at the moment about a SSHD rootkit hitting mainly RPM based Linux distributions.
Thanks to our reader unSpawn, we received a bunch of samples of the rootkit. The rootkit is actually a trojanized library that links with SSHD and does *a lot* of nasty things to the system.

At this point in time we still do not know what the initial attack vector is – it is unknown how the attackers get root access on the compromised servers that is needed to change the legitimate libkeyutils library with a trojanized one. We are, of course, keeping an eye on the development and will post a new diary or update this one if we receive more information about the attack vectors.
Click to expand...

https://isc.sans.edu/diary/SSHD rootkit in the wild/15229

Interesting.....

Cudni · Feb 23, 2013

and some thoughts on the subject
http://www.dslreports.com/forum/r28036508-

Gullible Jones · Feb 23, 2013

Hmm. I'm somewhat more interested in knowing how the attackers are gaining root access to compromised systems.

java dude · Feb 23, 2013

Gullible Jones said:

Hmm. I'm somewhat more interested in knowing how the attackers are gaining root access to compromised systems.
Click to expand...

It's believed that the workstations used to access remote servers via SSH were infected with a keylogger (quite possibly with a malicious flash/java exploit), then used to back connect to the server and plant the rootkit. Nasty stuff.

Gullible Jones · Feb 23, 2013

Nasty indeed. Time to tighten up my Noscript settings, I think.

Mrkvonic · Feb 24, 2013

java dude said:

It's believed that the workstations used to access remote servers via SSH were infected with a keylogger (quite possibly with a malicious flash/java exploit), then used to back connect to the server and plant the rootkit. Nasty stuff.
Click to expand...

Based on?
Mrk

NGRhodes · Feb 24, 2013

According to the article linked by the OP (which has been updated) - The source appears to be a compromised support server at cpanel . Which then got credentials stored on support tickets so that cpanel support staff could login.

Cheers, Nick

tlu · Feb 24, 2013

There's a very lengthy thread on WHT. It seems that it's not yet quite clear what's going on here (as I understand it after not reading through all 1362 posts there ).

ComputerSaysNo · Feb 25, 2013

Seems like CentOS is being hammered.

Log in or Sign up

SSHD rootkit in the wild

ComputerSaysNo Guest

Cudni Global Moderator

Gullible Jones Guest

java dude Registered Member

Gullible Jones Guest

Mrkvonic Linux Systems Expert

NGRhodes Registered Member

tlu Guest

ComputerSaysNo Guest

Log in or Sign up

SSHD rootkit in the wild

ComputerSaysNo Guest

Cudni Global Moderator

Gullible Jones Guest

java dude Registered Member

Gullible Jones Guest

Mrkvonic Linux Systems Expert

NGRhodes Registered Member

tlu Guest

ComputerSaysNo Guest

Useful Searches