HOW TO FIND OUT IF YOU HAVE BEEN ROOTED:
ls -la /lib64/libkeyutils.so.1.9
rpm -qf /lib64/libkeyutils.so.1.9
ls -la /lib/libkeyutils.so.1.9
rpm -qf /lib/libkeyutils.so.1.9
If you find the file and RPM shows “is not owned by any package” you have been rooted.
Currently known affected OSes: RHEL-based servers
Currently known effected control panels: cPanel, DirectAdmin, and Plesk
we do not know if controls panels are the reason or not.
Servers with ksplice have been exploited
via 0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 | Security, Server Tweaking, IT Management Blog By SolidShellSecurity.