This tutorial will tell you that How to find if you have been rooted
#ls -la /lib64/libkeyutils.so.1.9
#rpm -qf /lib64/libkeyutils.so.1.9
#ls -la /lib/libkeyutils.so.1.9
#rpm -qf /lib/libkeyutils.so.1.9
Those files should not exist.
or:
#updatedb” && locate libkeyutils.so.1.9
There should be no output:
[rootl@localhost ~]# updatedb && locate libkeyutils.so.1.9
Password:
[rootl@localhost ~]#
Password:
[rootl@localhost ~]#
Backdoor analysis – is it a 0day attack?
One of the reddit users analyzed the file and found encoded IP in it:
#./audit libkeyutils.so.1.9 output
# strings output |grep -Eo ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’
# strings output |grep -Eo ‘[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}’
192.168.1.2
If you get the above output that means your server is compromised.
I am founder and webmaster of www.linuxpcfix.com and working as a Sr. Linux Administrator (Expertise on Linux/Unix & Cloud Server) and have been in the industry since more than 14 years.
