libkeyutils.so.1: cannot open shared object file: no such file or directory on centos 6 x64 – Resolution

Today one of my VPS customer got following error : libkeyutils.so.1: cannot open shared object file: no such file or directory on centos 6

He was not able to login to SSH, SSHD server kept on denying with the message : connection to ssh refused.

While inspecting his VPS from node panel i came to know the server is hacked and hacker removed/changed libkeyutils.so.1 and libkeyutils.so.1.3 both are not present in lib64 directory, hacker just deleted them.
Please note these files are necessary files and are responsible for any connections inbound/outbound, so if they are not present or corrupted your server cannot connect to other computers.

Following is the solution to this issue :

Login to your main node (SSH), or your VPS by SSH console provided by your VPS provider.

Now go to /lib64 directory to check if libkeyutils.so.1 and libkeyutils.so.1.3 files are there or not. If files are there just delete them, the file libkeyutils.so.1 is symbolic link to libkeyutils.so.1.3 file. You should delete both of them by :

rm -f /lib64/libkeyutils.so.1 /lib64/libkeyutils.so.1.3

Now you would need to download RPM for libkeyutils.so.1 from centos web site:

wget ftp://ftp.muug.mb.ca/mirror/centos/6.4/os/x86_64/Packages/keyutils-libs-1.4-4.el6.x86_64.rpm

Please note, this is the step you might need assistance from your VPS provider, just ask them to place this RPM in your /lib64 directory as you cannot download it. Wget also does not work without libkeyutils.so.1 file.

Once the RPM package is downloaded, you would need to execute following command in lib64 directory:

rpm -ivh --replacefiles --replacepkgs keyutils-libs-1.4-4.el6.x86_64.rpm

This will replace package library files as well as other files, and now restart SSH by:

service sshd restart

and reboot your server:

reboot

Suggestion: Install config server firewall immediately once you get back the SSH access, your VPS will not get hack again, it takes only 2 minutes:

http://configserver.com/free/csf/install.txt

Disable Sym links on linux WHM/cPanel

Disabling SYM links is not a tough task on WHM/cPanel based servers, however you might not found proper way to do this, here is the quick code for disabling symlinks.

Why disabling symlinks is necessary for non-root users?

Gaining access to other accounts hosted on cPanel/WHM hosting servers is done by symbolic links, hackers usually create symbolic links on an hacked account to gain access to files hosted on other accounts so other accounts can be accessible through those symbolic links. To deal with this issue system administrator should disable symbolic links creation for non-root users.

  • Login to WHM/cPanel server via SSH with root access.
  • execute following commands:
  • $ wget http://layer1.rack911.com/before_apache_make -O
  • $ /scripts/before_apache_make
  • $ chmod 700 /scripts/before_apache_make
  • And then recompile apache by previous saved profile:
  • $ /scripts/easyapache

That is all, you can also check for any symbolic links already created:

  • $ find /home*/*/public_html -type l

    This will output directories and files those are sym linked.

Have fun!

How to deal with hackers for web server? Sym links solution

Nowadays hacking becomes more ordinary, and most web hosting companies are being targeted and there is no proper solution to prevent or to make your server 100% secure.

As a web hosting provider, we do always try to secure our servers from the hackers sometime it works but sometimes we failed.

Today i want to describe some commands for Linux WHM/cPanel based servers commands to make your server secure not 100% but it works out of the box. As i am using these commands to not prevent server from hacking but these commands are very useful and does not allow hackers to do anything on the server with other accounts.

I assume, you already familiar with the sym links those are auto-created on the linux based servers, they allow hackers to create link directory/files with the other accounts, so they can access other accounts those are related to other cPanel accounts on the server.

If you disable sym links on the server, hackers cannot hack into your server or if they are able to hack one account, other accounts will remain safe and will not get affected.

Well, disabling sym links is not the proper solution and also disturbs functionality of some scripts on the server like joomla and wordpress.

Here i would like to describe some linux commands those are used to prevent creation of new symlinks in the root directory of an account, on cPanel it is public_html.

Follow the following steps to:

  • Login to your server via ssh with root access.
  • Now make a check if there are sym links  already created on the server.
  • Execute following command for cPanel:
  •  # find /home*/*/public_html -type l
  • Above command will display all the sym links for all cPanel accounts created in public_html and sub directories if any.
  • Now, add a cron job to check for sym links  and remove them if found, you can set any interval, in the below command i set it to every minutes.
  • So the command checks and removes all sym links inside the public_html directory and their sub directories.
  • Execute the following commands to add cron job:
  • # crontab -e
  • A crontab file will be opened in default text-editor.
  • Go to last line and add below command:
  • */5 * * * * find /home*/*/public_html -type l -exec rm -rfv {} \;
  • Now, save your crontab file to make it functional.
  • And you’re done, this will check for sym links inside public_html directory and will remove them if found.
  • TIP: you can also change the location of your directory for other control panels, by replacing /home*/*/public_html
  • Note: Do not execute command on system directories, your server will be destroyed and will become unstable.

That is all, comments are welcome : ) if it works for you.

How to recover hacked wordpress blog

Well hacking of wordpress blogs became more easy and popular and i saw many blogs are being hacked by noobs nowadays.
Last night our server got an attack by those noobs and all of our wordpress blogs (old version) were injected by the code saying “hacked by bla bla”.

What they have done with wordpress?

1. They have injected their code into blog’s database and changed the password and admin email address to override admin access to backend. So administrator is not able to retrieve his lost password to get access back.

2. They have injected the code into templates file named “index.php” saying “hacked by bla blaa”

Here is the quick solution to fix both of them:
Get admin access back:

1. First of all you will need to get admin access back, for this login to phpmyadmin from cPanel and then navgiate to the wordpress database, see snapshot below:

1

2. Now select the users table and choose the row that contains admin details, see below snapshot:

2

3. Edit the row and change the email address with your new working email address and save it.

3

4. Ok, now goto the following link: http://yourdomain.com/wp-admin and use forgot password link to reset your password.

You will get the reset password confirmation email follow the steps given in that email.
How to remove hacker’s message “Hacked by bla bla”

1. Just login to your FTP or to cPanel File manage and navigate to your wordpress templage files located in public_html/wp-content/themes/templatename

2. Now replace the index.php file with the original template’s index. php file. You should have this template file or re-download it. Ok, this is done.

Your blog will become back now i will tell you how do you secure your blog from hacker.

Secure wordpress blog:

1. Keep your wordpress blog uptodate.
2. Install following plugin:

  1. Sucuri Free
  2. Exploit Scanner
  3. Block bad queries
  4. Anti malware shield
  5. Exploit Scanner

3. Do not install nulled/cracked plugins and templates.
4. Check your hosting account for any malicious files and folders, possibly shells, remove them.
5. Check template files for malicious code and base64 code and remove them.

For more information on securing wordpress blog google it you will find various methods there.

Scan your web site for Malwares and Malicious scripts

I am going to describe the way that can be used to scan your web site for malwares and malicious scripts.

If your web site is black listed on some search engines and on virus scanners, if web browser is giving the malwares warning while visiting your web site.

Here is the solution, you can scan your whole web site online. It gives you 100% accurate results of scanning within seconds, Later you can remove those malware pages or codes from your web site.

Here is the URL:

http://sitecheck.sucuri.net

 

If you are not able to remove the malwares/malicious codes from your web site, i can provide you professional services in affordable price.

Give your feed back 🙂

How to secure DNS server

In this quick tutorial i will discuss how to secure your DNS server (Bind9), by applying the following techniques you will be able to increase your DNS server’s security from the recursion lookups.

  • First of all you should know your two ip addresses of DNS server’s, to do so just open the file/etc/nameserverips there you will get two DNS ips.

# tail /etc/nameserverips

  • Now you would need to open /etc/named.conf

# nano /etc/named.conf

  • Look up for the line :

options {

  • Add the following lines above that:

acl “trusted” {
x.x.x.x;
y.y.y.y;
};

  • Where x.x.x.x and y.y.y.y are your DNS server’s ips.
  • Now look for the line:
  • // query-source address * port 53;
  • Below it , insert the following line :

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; }; Read More