According to Orien Wu, social media co-ordinator of the WebHosting Talk forum, it appears that both Red Hat-based and Debian servers are affected. Servers with control panels such as cPanel, DirectAdmin and Plesk are also affected.
SSHD is the daemon that implements the secure shell (SSH) protocol; SSH is is a program used to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.
The most popular impementation of SSH, used by many Linux systems, is OpenSSH which is a project managed by the OpenBSD project.
OpenSSH developer Damien Miller told iTWire: "This one is interesting as it attacks the SSH server of the system without actually modifying it directly; instead it replaces one of the shared libraries that it depends upon to inject its malicious code without touching sshd itself, presumably to hide a little better (though it isn't a stealthy rootkit by any stretch of the imagination).
"As such, it isn't representative of any vulnerability in OpenSSH itself, it's just another demonstration of the devious things an attacker can do once they have full control of a system."
Miller said it wasn't clear how the attackers initially gained access to the affected systems.
"But any host with a rootkit installed must be treated as compromised and any data on it potentially in the hands of the attackers," he said.
"In addition to the information and databases the host may have been serving, it should be assumed that the attackers have copies of the private SSH and SSL/TLS host keys and any passwords on the system.
"Once any forensic investigation is complete and the initial exploit that gave the attackers access found and fixed, a rootkitted system should be freshly reinstalled. The system administrator shouldn't assume that this is the only rootkit present, far more stealthy ones exist."