[Sheflug] Zero-day rootkit?

[Chris J <cej@xxxxxxxxxxxxxxxx>]

Just a heads-up in case it's not been seen. The last couple of days I've
seen blogs and forums light up with news of an active zero-day attack - the
actual attack vector is currently not known, which makes this more worrying
than most. Some folk are placing the blame on SSH, others on cPanel, but
really, no-one currently knows.

Typically it's been Redhat or CentOS machines affected, although I've seen
(unconfirmed) anecdotes on forums that Debian has also been affected.

You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on
your box, most likely under /lib (but could be elsewhere). The latest
"good" version of this file is 1.3...

It's also curious that most of the talk is on forums. I haven't seen
anything from the distributions about this.

Relevent links and more info:
http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
http://blog.configserver.com/index.php?itemid=716
http://www.webhostingtalk.com/showthread.php?t=1235797

A google for libkeyutils.so.1.9 brings back other various forums, etc...

Don't know if anyone's got more solid information on this?

Cheers,

Chris


-- 
 Chris Johnson :: cej@xxxxxxxxxxxxxxxx :: PGP 0xBC618B81
               :: http://cej.nightwolf.org.uk/


_______________________________________________
Sheffield Linux User's Group
http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
FAQ at: http://www.sheflug.org.uk/mailfaq.html

GNU - The Choice of a Complete Generation