[VoiceOps] Fwd: [Sheflug] Zero-day rootkit?

Gavin Henry ghenry at suretec.co.uk
Thu Feb 21 16:46:25 EST 2013

Hi all,

Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that
are built on Linux kernels?


---------- Forwarded message ----------
From: Chris J <cej at nightwolf.org.uk>
Date: 21 February 2013 19:25
Subject: [Sheflug] Zero-day rootkit?
To: sheflug at sheflug.org.uk

Just a heads-up in case it's not been seen. The last couple of days I've
seen blogs and forums light up with news of an active zero-day attack - the
actual attack vector is currently not known, which makes this more worrying
than most. Some folk are placing the blame on SSH, others on cPanel, but
really, no-one currently knows.

Typically it's been Redhat or CentOS machines affected, although I've seen
(unconfirmed) anecdotes on forums that Debian has also been affected.

You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on
your box, most likely under /lib (but could be elsewhere). The latest
"good" version of this file is 1.3...

It's also curious that most of the talk is on forums. I haven't seen
anything from the distributions about this.

Relevent links and more info:

A google for libkeyutils.so.1.9 brings back other various forums, etc...

Don't know if anyone's got more solid information on this?



 Chris Johnson :: cej at nightwolf.org.uk :: PGP 0xBC618B81
               :: http://cej.nightwolf.org.uk/

Sheffield Linux User's Group
FAQ at: http://www.sheflug.org.uk/mailfaq.html

GNU - The Choice of a Complete Generation

Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry at suretec.co.uk

Open Source. Open Solutions(tm).


Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
Aberdeenshire, AB51 8GL.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Do you know we have our own VoIP provider called SureVoIP? See

Did you see our API? http://www.surevoip.co.uk/api

More information about the VoiceOps mailing list