The third day in the web has been a mass hacking servers based on Linux
There is a suspicion that the attack is made through unpatched 0-day vulnerability in one of the available network services.
Of compromised systems are marked servers based on CentOS and other distributions on the basis of packet-base RHEL 5 and 6, which are installed all available updates. Many compromised systems use control panel, cPanel, DirectAdmin, ISP config and Plesk, but it is not clear whether they can be a source of penetration.
As a result of the attack in an unknown way the system appears file / lib64/libkeyutils.so.1.9 (for 32-bit Systems / lib/libkeyutils.so.1.9). After cracking process begins to set sshd suspicious connections: at the entrance to the compromised server to ssh, using UDP sends the data entered username and password on port 53 of the external host. In addition, the server is hosted code to participate in the botnet used to send spam, and possibly to carry out further attacks.
It is unlikely that the attack vector associated with the recent discussion of vulnerabilities in Linux kernel (CVE-2013-0871), among others identified cases of hacking isolated environment, built on the basis of distribution CloudLinux enabled CageFS (using CageFS unlikely exploiting vulnerabilities in the kernel for privilege escalation ). Of the attacked server systems are also marked with the kernel update ksplice and servers sshd on non-standard port. Associated with breaking activity was cleaned from the log, but one of the users managed by snoopy analyze the attacker who installed a backdoor and clean the logs.
For revealing the fact of breaking your system is sufficient to verify the presence of the library / lib64/libkeyutils.so.1.9, not associated with any of the installed package (for 64-bit Systems: ls-la / lib64/libkeyutils.so.1.9; rpm-qf / lib64 / libkeyutils.so.1.9, for 32-bit: ls-la / lib/libkeyutils.so.1.9; rpm-qf / lib/libkeyutils.so.1.9).