0

I have a server centOS 5.9 i386. I contacted cPanel for some issue, so they informed me that my server had been compromised and /lib64/libkeyutils-1.2.so.2 is the direct indication that the server has been hacked. So, I followed the instructions from here and removed the file, but I think i did not linked the libkeyutil with the previous version so when I restarted SSH, the server denided the access with a message i.e. (Server unexpectedly closed network connection). Now I cannot access my server over ssh. But I access my server with KVM console, so I logged into my server to reinstall keyutils but yum is not working now. It gives me error i.e.

Traceback (most recent call last):
  File "/usr/bin/yum", line 4, in ?
    import yum
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 50, in ?
    import config
  File "/usr/lib/python2.4/site-packages/yum/config.py", line 27, in ?
    from parser import ConfigPreProcessor
  File "/usr/lib/python2.4/site-packages/yum/parser.py", line 3, in ?
    import urlgrabber
  File "/usr/lib/python2.4/site-packages/urlgrabber/__init__.py", line 53, in ?
    from grabber import urlgrab, urlopen, urlread
  File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 412, in ?
    import keepalive
  File "/usr/lib/python2.4/site-packages/urlgrabber/keepalive.py", line 339, in ?
    class HTTPSHandler(KeepAliveHandler, urllib2.HTTPSHandler):
AttributeError: 'module' object has no attribute 'HTTPSHandler'

Unfortunately I restarted the server machine (I though it will configure itself), now apache cannot be started, it gives me the following error

/usr/local/pache/bin/httpd: error while loading shared libraries: 
libkeyutils.so.1: cannot shared object file: No such file or directory

Now, all the sites are down as apache is not up.

I tried to reinstall yum using rpm following the instructions here

Need Help In:

Can I get back the file i removed (which is /lib64/libkeyutils-1.2.so.2) ?

How can I install keyutils without yum?

Please help. Thanks

AL̲̳I
  • 105
  • 1
  • 7
  • 3
    You don't. Nuke the server and be sure the attacker didn't leave something else behind. – Sven Feb 26 '13 at 16:29
  • My server was compromised but they didn't do any harm, I made a mistake and I delete the **libkeyutils**.... Now I am asking how can I reinstall it without yum??? – AL̲̳I Feb 26 '13 at 16:37
  • 2
    If your server was compromised, you **can not** be sure they didn't do any harm. – Sven Feb 26 '13 at 16:39
  • 1
    You can not be sure that there is no other harm, but reading elsewhere it seams that this particular exploit did not do much else. Still, make sure you know what you do :) – Isaac Feb 26 '13 at 16:40
  • 1
    @Isaac: If this system was truly compromised by this sshd rootkit then the only professional thing to do is nuke it from orbit and reinstall from a known good backup. – user9517 Feb 26 '13 at 16:55
  • And next time you give cPanel technical support your root password, make sure that it's a _temporary_ password and that you change it _again_ after they are done. – Michael Hampton Feb 26 '13 at 21:30

1 Answers1

3

If you did not have the compromised libkeyutils.so.1.9 library on your system then you can download the CentOS 5.9 rpm for the libs from here or use wget to get it. Once you've done this use 

rpm -Fvh keyutils-libs-1.2-1.el5.i386.rpm

to install it.

If you did haver the compromised libkeyutils.so.1.9 library then you really should wipe it and reinstall from a known good backup.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • Thanks for you answer. I did that but it says package keyutils-1.2-1.el5.i386 is already installed.. Can I remove it and reinstall it again? Will it be ok? Thanks – AL̲̳I Feb 26 '13 at 20:12
  • @Ali Add `--replacefiles --replacepkgs` – Michael Hampton Feb 26 '13 at 20:21
  • Oh, and @Iain, he _did_ have the malware on his system. `libkeyutils-1.2.so.2` was the name used on EL5 systems, while `libkeyutils.so.1.9` was used on EL6 systems. – Michael Hampton Feb 26 '13 at 20:22
  • @MichaelHampton: Thanks for your help.... I ran the following command and it worked.. `rpm -Uvh --replacefiles --replacepkgs http://mirror.centos.org/centos/5/os/i386/CentOS/elfutils-libs-0.137-3.el5.i386.rpm` – AL̲̳I Feb 26 '13 at 20:54
  • @MichaelHampton: cheers :) – user9517 Feb 26 '13 at 21:11
  • One more thing... Can I reload the OS and reinstall it using **KVM console** or do I need to ask the data center to do it for me??? – AL̲̳I Feb 28 '13 at 09:47