Some further information about Linux servers being penetrated, and some insights.
Backdoor imitating ssh - check Your systems for libkeyutils.so.1.9 file... "...Many users have reported that on some servers they have noticed suspicious file: libkeyutils.so.1.9
The only "symptom" so far is the fact that from those servers from time to time spam is being sent but everything indicates that the attackers gained root on the machines and can start using them for any other purpose anytime..."
No one knows how the file gets on the server. Some say that right after the file was detected they have "burned the machines to the ground" and got fresh systems installed just to find out that the file was there few minutes later. This might suggest attack from the administrators machine. Infected administrator logs into the remote machine and unwillingly / unknowingly places the backdoor on the remote machine. Logs indicate that the attack is performed
automatically. How to check if You were 'rooted'?
ls -la /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9
ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9
Those files should not exist.
or:
su -c "updatedb" && locate libkeyutils.so.1.9
There should be no output:
[andrzejl@wishmacer ~]$ su -c "updatedb" && locate libkeyutils.so.1.9
Password:
[andrzejl@wishmacer ~]$
Backdoor analysis - is it a 0day attack?
One of the reddit users analyzed the file and found encoded IP in it:
$ ./audit libkeyutils.so.1.9 output
$ strings output |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
78.47.139.110
IP points to domain: RUBOP.COM, which belongs to:
Administrative Contact:
Ibragimov, Sergey pmadison12 at gmail dot com
Polanskay 11
Moskow, Russia 11223
Additionally some users report that some of the backdoored systems during the SSH connection are sending packets to 72.156.139.154 on port 53/UDP (containing users data - plain-text login credentials...)
It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.
Removing the libkeyutils.so.1.9 file from Your server is not really solving anything... Atacker somehow had to access the machine so without knowing the point of entry and patching it You are still vulnerable. There is no confirmed info about which vulnerability attackers are using, is it old - known vulnerability or 0day...
Source:
http://niebezpiecznik.pl/post/backdoor-udajacy-biblioteke-ssh-sprawdzcie-swoje-systemy-pod-katem-libkeyutils-so-1-9/This is kind of showing that Linux is vulnerable just like any OS, but that things are being done to observe, and ultimately fix any vulnerabilty.