SSHD libkeyutils Backdoor

#TRUSTED 1b90eb37dc76a7db4599ee03381963aa8d07684878fbeacd3d39a47198ed262feb273e6daed48d189ab97b662aceff750451afa6de506fffe102ff4439079b3a946f9b7ff6608a53cdc2917eeb90e9fc4d6a647971629420a916d46a99a01b22c38f44b3f2972da89fb6a7b679389228c828420983f14080bdcb6cecef3cf16e584c3c101d0b4111b19da550e5f2c4a71ecfb180aff343d911676149c1d86379df649a0a3b799388d824e13c18aa07df18b8dbdae174493327a4cf675e45dc91ccb4be12f9e53be99ce9e14110b73fceb3e14e71f569dd3ba491ffd166e9148c1dd9b8d8490ac59ebdf6ca142e55edb8643e7755b5faae4315d5c52665fab89d9b95feb0d67582d5f87d6962a36afab0ef527dcb319d7a2e2a227114e89ac57ce6ae02262562b01ed38b62a56ba807acbb538821131a14e29f302b00e860e3af972e9dcfb3c4c0b3fb0ecf154433cf5dd24bcabc4a589332be04f4e537963a717a1a0a85c65d7d2767e46f0c21f2a5e23faaf53516628f0d855c709b12eea323f78ee3586728039f9e2c61a28a0dda1e926c9e315e744febfd2d47a39a532d93b1e1c78a17b686a856965e452b2a89a72e2e79c5034de369a7f4a243a81bf5666a644ac48342c2179a645130adc08cb7137af9195dd4e7f1d6677da3c069227176bdd39880925b0303fd228862655eefcbe79376e14355495ba3d2bc7f6902a6
#TRUST-RSA-SHA256 03bcf0d574809e3fcdfa78740cf3b83a3472b304589f097615d87f41734230c56bedf1bd6b6934c465c56247107f68b718842f04ab88f3743f5f5cee960b547e24e45e2cec1756f1413d38cf9122ecdccd3740bf0e2ec3287f168041edd699e3e62e8b6d1b112c4d7a25a36c92e856a9e7b78f29258919126e2c7a6f6ed8c67ea32259182819697941a9d68f11d54df30218fbb5fdd50bac38687eb53d08286163c5b7b536a58835df7bcf6204c97dfaa5de5ae7c3835e83142377414cb0edfd6902e1e9400e5f35e23d6f1343a8aed6410883bc2a5aaa8c43749c9c98514d117f8b017a0377ccbc3f1275cf6d627e337326b2cca7c7c0cba54033cba98f7cdc173258f4df596ab9bfbf4d92dbda952a2fdc74db7af9354d401d384c020afe5b1db0271d7bcf5884a281d3d074f4faab260ea7453f1d9ce1ffe5868faba4de15c7902d4c5d11d4f8505861862226044a0bc241637dd81bc1424f933eabc80287ded808a3d9047af8d3511aebcef80d3de427809ac17d3a92cb2d80bafad7a262c1a55f0481287c828706eed21472fad1363facdbdf7b12a5b289f36f148ed6c22863ca1f1c4324062b8596ee92f3fff30cae7200d99060fdf133ee2d3d5351e3e5211153b45602ec967162b76de96510df4f83848320930031520aaa02debc8944a54c8465f052f11f9279848c072e9b4a89823926bc0259b5925c58f6b84dca
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(64913);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/21");

  script_name(english:"SSHD libkeyutils Backdoor");
  script_summary(english:"Checks for evidence of a libkeyutils library being trojaned");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote host may be compromised."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host appears to contain a trojaned libkeyutils library.  The
trojaned library links to SSHD, steals credentials, and sends spam."
  );
  script_set_attribute(attribute:"see_also", value:"http://www.webhostingtalk.com/showthread.php?t=1235797");
  # http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f62cb60d");
  # http://contagiodump.blogspot.com/2013/02/linuxcentos-sshd-spam-exploit.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b03816df");
  # https://isc.sans.edu/diary/SSHD%20rootkit%20in%20the%20wild/15229
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4958f5dd");
  script_set_attribute(attribute:"see_also", value:"http://www.webhostingtalk.com/showpost.php?p=8563741&postcount=284");
  script_set_attribute(
    attribute:"solution",
    value:
"Verify whether or not the system has been compromised.  Restore from
known good backups and investigate the network for further signs of a
compromise, if necessary."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"No CVE available for this vulnerability.");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/27");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2013-2026 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("telnet_func.inc");
include("ssh_func.inc");
include("hostlevel_funcs.inc");
include("local_detection_nix.inc");


enable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled"))
  audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var rpm_list, key, keyutils_rpms, line, fields, rpm, affected_files, rpm_verify, report;
var s, rpm_cmd, rpm_output, output_lines, match, file, encoded_ip, cmd, results;

# public reports indicate only RPM-based distros have been infected
rpm_list = get_kb_list_or_exit('Host/*/rpm-list');
rpm_list = make_list(rpm_list);
rpm_list = split(rpm_list[0], sep:'\n', keep:FALSE);

keyutils_rpms = make_list();

foreach line (rpm_list)
{
  fields = split(line, sep:'|', keep:FALSE);
  rpm = fields[0];
  if (rpm =~ "^keyutils-libs-\d")
    keyutils_rpms = make_list(keyutils_rpms, rpm);
}

if (max_index(keyutils_rpms) == 0)
  audit(AUDIT_NOT_INST, 'keyutils-libs');

# initialization required for using run_cmd_template_wrapper()
if (islocalhost())
{
  if (!defined_func("pread")) audit(AUDIT_FN_UNDEF, 'pread');
  info_t = INFO_LOCAL;
}
else
{
  sock_g = ssh_open_connection();
  if (!sock_g) audit(AUDIT_FN_FAIL, 'ssh_open_connection');
  info_t = INFO_SSH;
}

affected_files = make_array();
rpm_verify = make_array();

foreach rpm (keyutils_rpms)
{
  # verify the files in the rpm package
  rpm_cmd = '/bin/rpm -Vv \'$1$\'';
  rpm_output = ldnix::run_cmd_template_wrapper(template:rpm_cmd, args:[rpm]);
  output_lines = split(rpm_output, sep:'\n', keep:FALSE);

  foreach line (output_lines)
  {
    # determine if the size and md5sum of any library files have changed
    match = eregmatch(string:line, pattern:"^S.5......\s+(/lib(64)?/libkeyutils.+)$");
    file = match[1];
    if (isnull(file)) continue;

    # if so, check if the file contains the encoded IP address associated with this backdoor.
    # the string below is 78.47.139.110 - each byte is xor'd with 0x81
    encoded_ip = "\xb6\xb9\xaf\xb5\xb6\xaf\xb0\xb2\xb8\xaf\xb0\xb0\xb1";
    cmd = "/bin/grep -P '" + encoded_ip + "' '$1$' &> /dev/null ; /bin/echo $?";
    results = ldnix::run_cmd_template_wrapper(template:cmd, args:[file]);

    if (chomp(results) == '0') # avoid false negatives by checking the exit status
    {
      affected_files[file] = cmd;
      rpm_verify[rpm_cmd] = rpm_output;
    }
  }
}

ssh_close_connection();

if (max_index(keys(affected_files)) == 0)
  audit(AUDIT_HOST_NOT, 'affected');

if (report_verbosity > 0)
{
  if (max_index(keys(affected_files)) == 1)
    s = ' appears';
  else
    s = 's appear';

  report =
    '\nThe following file' + s + ' to contain backdoor code :\n\n' +
    join(sort(keys(affected_files)), sep:'\n') +'\n\n' +
    'This was determined by verifying any libkeyutils RPM packages :\n\n' +
    join(sort(keys(rpm_verify)), sep:'\n') + '\n\n' +
    join(sort(make_list(rpm_output)), sep:'\n') + '\n' +
    'And checking if any modified library files contain a string which\n' +
    'can be decoded to "78.47.139.110" (an IP address associated with the\n' +
    'backdoor) :\n\n';
  foreach key (sort(keys(affected_files)))
    report += affected_files[key] + '\n';

  security_hole(port:0, extra:report);
}
else security_hole(0);