Knowledgebase

Portal Home > Knowledgebase > Articles Database > SSH cannot start after bug fix, server failing


SSH cannot start after bug fix, server failing




Posted by otamendi, 02-15-2013, 10:04 PM
Hi, our ISP sent out an email with instructions to avoid a bug but after following them an error shows and our customers are unable to use WEBMAIL (it shows this error: No response from subprocess (php) with exit signal: 127) In the email our ISP recommended: 1. SSH to the server 2. cd /lib64/ 3. rm libkeyutils.so.1.9 4. rm libkeyutils.so.1 5. ln -s libkeyutils.so.1 libkeyutils.so.1.3 6. Restart ssh 7. yum update kernel and Reboot to close any active connections But in the sixth step i get this error: root@server [/lib64]# /etc/init.d/sshd restart Stopping sshd: [FAILED] Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory [FAILED] Please help how can i fix it am running CENTOS 64 bit
Posted by net, 02-15-2013, 10:18 PM
Moved > Hosting Security and Technology .
Posted by Steven, 02-15-2013, 11:11 PM
yum -y reinstall keyutils-libs
Posted by mattmackman, 02-16-2013, 12:48 AM
yum and wget will not work if libkeyutils.so.1 is not there, so download the already installed version of keyutils-libs RPM using lwp-download or other commands and install it.
Posted by otamendi, 02-16-2013, 12:53 AM
Thanks a lot, our hosting provider (hivelocity) told us the same thing (that yum would not work) and they have fixed the problem. Thanks.
Posted by Steven, 02-16-2013, 12:55 AM
I think the key step that is missing is ldconfig.
Posted by unSpawn, 02-16-2013, 02:45 PM
I should point out the overarching problem here: replacing root-owned items in a root-owned directory means the perp had root rights already. Trying to "fix things" by removing the offending library may mitigate symptoms but it does not address the cause. See the standard literature on the 'net on how to deal with a breach of security properly (the SANS Reading Room for example) or, since it is a root compromise, draw the only logical conclusion possible.
Posted by Steven, 02-16-2013, 03:27 PM
Agreed. I tried to make that statement with Hiveolocity who released those instructions.
Posted by TravisT-[SSS], 02-16-2013, 11:41 PM
This. We told every client that they would need to be moved to a new server and so far everyone with this issue was moved off as we warned them sternly that their current server was hacked. As a warning to anyone who reads this, move to a new server.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
This mod_security rules (Views: 460)
reseller account question (Views: 467)
Server Security (Views: 463)
Looking for a review script (Views: 486)
WARNING: Stay away from SONIQHOST.COM (Views: 447)

Language: