[UCI-Linux] sshd rootkit in the wild

Mike Iglesias iglesias at uci.edu
Fri Feb 22 09:09:40 PST 2013

SANS is reporting that there's a sshd rootkit in the wild that looks pretty
nasty.  If you're running a system with sshd (especially if it's open at the
border), you'll want to make sure your system has not been affected.
Unfortunately at this time there's no information on the initial attack
vector, so looking for a modified libkeyutils library is the only way to tell
if you've been compromised.  Note that this is mainly hitting RPM-based Linux
distributions, but you should check your system anyway.

More information here:


Mike Iglesias                          Email:       iglesias at uci.edu
University of California, Irvine       phone:       949-824-6926
Office of Information Technology       FAX:         949-824-2270

More information about the UCI-Linux mailing list