SSHD RootKit Security Alert
Written by: Will Kruss on 23 February 2013 11:07 AM
SSH RootKit applies variants of Linux including Ubuntu, Debian, CentOS etc. Find more details on VPSBlocks.
SSH RootKit on Linux based machines security alert (updated 23/02/2013)
All variants of Linux including Ubuntu, Debian, CentOS, OpenSUSE, Red Hat
A rootkit has been discovered which leaves a backdoor on the system and gains full root access to Linux based servers.
The cause of the rootkit is not yet known, as such there is NO available patch at this time.
It is recommended to either close SSH access entirely or to only allow your own IP address to connect.
If you use cPanel/WHM you should turn off the SSHD service:
If you do not use cPanel/WHM and SSHD is your only access to the server, you should secure it to a specific IP address using iptables.
For help on that please see: http://www.debian-administration.org/articles/87 (this will work on all variants of Linux not just Debian)
Check for Infection
All users should check to see if they are infected. To do that run:
wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash
If you are found the be infected, this script changes the links back to their original state, although no guarantee is given that it will cleanup anything that has been installed after a compromise:
wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash
A reboot of the server is required in case of infected libraries being found.
For up to date detailed information see here:
Currently available information:
Possible adverse impact of the rootkit: