Today one of my VPS customer got following error : libkeyutils.so.1: cannot open shared object file: no such file or directory on centos 6
He was not able to login to SSH, SSHD server kept on denying with the message : connection to ssh refused.
While inspecting his VPS from node panel i came to know the server is hacked and hacker removed/changed libkeyutils.so.1 and libkeyutils.so.1.3 both are not present in lib64 directory, hacker just deleted them.
Please note these files are necessary files and are responsible for any connections inbound/outbound, so if they are not present or corrupted your server cannot connect to other computers.
Following is the solution to this issue :
Login to your main node (SSH), or your VPS by SSH console provided by your VPS provider.
Now go to /lib64 directory to check if libkeyutils.so.1 and libkeyutils.so.1.3 files are there or not. If files are there just delete them, the file libkeyutils.so.1 is symbolic link to libkeyutils.so.1.3 file. You should delete both of them by :
rm -f /lib64/libkeyutils.so.1 /lib64/libkeyutils.so.1.3
Now you would need to download RPM for libkeyutils.so.1 from centos web site:
Please note, this is the step you might need assistance from your VPS provider, just ask them to place this RPM in your /lib64 directory as you cannot download it. Wget also does not work without libkeyutils.so.1 file.
Once the RPM package is downloaded, you would need to execute following command in lib64 directory:
rpm -ivh --replacefiles --replacepkgs keyutils-libs-1.4-4.el6.x86_64.rpm
This will replace package library files as well as other files, and now restart SSH by:
service sshd restart
and reboot your server:
Suggestion: Install config server firewall immediately once you get back the SSH access, your VPS will not get hack again, it takes only 2 minutes: