SSHD Spam Rootkit /lib64/libkeyutils.so.1.9

On a few systems have had the following:

CentOS release 6.3 (Final)
md5sum /lib64/libkeyutils.so.1.9
c1f53b3ecb05102d46f1d533fe093529 /lib64/libkeyutils.so.1.9

-rwxr-xr-x 1 root root 34584 Jun 22 2012 /lib64/libkeyutils.so.1.9*

rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package

uname -r: 2.6.32-279.14.1.el6.x86_64.debug

–and–

CentOS release 6.3 (Final)
md5sum /lib64/libkeyutils.so.1.9
c1f53b3ecb05102d46f1d533fe093529 /lib64/libkeyutils.so.1.9

-rwxr-xr-x 1 root root 34584 Jun 22 2012 /lib64/libkeyutils.so.1.9*

rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package

uname -r: 2.6.32-279.14.1.el6.x86_64.debug

what we do know is that so far firewalls have kept them off and out of SSH. So if you have those setup correctly to whitelist you, this helps.

As far as removing, you will need to remove the libkeyutils.so.1.9 and restart SSH. This **should** fix the problem.

**REF: http://www.webhostingtalk.com/showthread.php?t=1235797

Share on Tumblr