Results 1,376 to 1,400 of 1523
Thread: SSHD Rootkit Rolling around
-
02-25-2013, 12:15 PM #1376New Member
- Join Date
- Feb 2013
- Posts
- 1
clarification
Can anyone clarify some CageFS stuff for me. IS the root used getting virtualized libkeys as well?
-Rob
-
02-25-2013, 01:17 PM #1377Newbie
- Join Date
- Jun 2009
- Posts
- 10
I have been looking at the thread since the 1st post, Seeming random servers are being rooted, different OS's and setups, there doesn't seem to be anything common server wise.
I'm starting to think along the lines of an Android app or similar.
Does anyone login to there servers using Android or use any SSH server apps eg. ConnectBot
-
02-25-2013, 02:25 PM #1378Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 97
Also, with a smartphone your whole email history is open if the phone is hacked. Think of the size of a Gmail archive. Same is true of any IMAP client, but smartphones often do not get OS updates, and the user cannot control that without jailbreaking.
Add to that, WiFi is broken, with any security short of WPA2-Enterprise using enforced keys, due to evil twins, and you've got a bad situation.
Root passwords should probably not be emailed without a second factor. I also wonder at my VPS provider asking for the root password for every support request, in the ticket form.
-
02-25-2013, 05:51 PM #1379WHT Addict
- Join Date
- Aug 2004
- Posts
- 142
-
02-25-2013, 05:56 PM #1380Web Hosting Master
- Join Date
- Jun 2001
- Location
- Princeton
- Posts
- 1,029
This is not related, as RHEL 5 & 6 kernels don't have this code.
Igor Seletskiy
CEO @ Cloud Linux Inc
http://www.cloudlinux.com
CloudLinux -- The OS that can make your Shared Hosting stable
-
02-25-2013, 06:00 PM #1381WHT Addict
- Join Date
- Aug 2004
- Posts
- 142
yes , thought it might be one of the entry vectors used since what we are facing here is not the entry vector
-
02-25-2013, 09:00 PM #1382Newbie
- Join Date
- Feb 2013
- Posts
- 7
Smartphones
That is something I can not stress enough. The use of smartphones, how much personal data they store, and how users do not take security on them serious. Very good point about the smartphones
-
02-25-2013, 09:44 PM #1383Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Orlando, Florida
- Posts
- 89
You know, it's funny you mention this. . .I have logged into servers using ConnectBot from my Samsung Galaxy SIII on T-Mobile.
However. . .the servers I've logged into tested negative for the compromised library -- or any compromised libraries for that matter.
So it's possible. . .but I think it might be a bit of a stretch.
Not ruling it out though. . .
Steven, thanks for the feedback man. . .best I can do is keep my eyes peeled.
Happy belated Birthday buddy!Last edited by egillette; 02-25-2013 at 09:46 PM. Reason: Forgot to wish Steven Happy Birthday!
Server Security | Disaster Planning | PCI Compliance | Virtualization
http://www.ericgillette.com
800-665-2370
-
02-26-2013, 01:18 AM #1384Junior Guru
- Join Date
- Jan 2012
- Location
- UK
- Posts
- 236
-
02-26-2013, 02:22 AM #1385Web Hosting Master
- Join Date
- Nov 2011
- Location
- Calgary, Alberta, Canada
- Posts
- 699
I've checked all of my servers and (luckily) none of them are affected. They are all up to date and running CentOS (One is running cPanel and another is running cPanel DNS Only). I'm guessing this rootkit managed to slip in through one of the repositories.
Little Apps
Open Source Software
-
02-26-2013, 06:14 AM #1386Web Hosting Evangelist
- Join Date
- Jan 2013
- Location
- Australia
- Posts
- 475
Could this be one of reason to get workstations effected ?
http://www.adobe.com/support/securit...apsa13-02.html
-
02-26-2013, 09:10 AM #1387Newbie
- Join Date
- Nov 2002
- Location
- UK
- Posts
- 24
-
02-26-2013, 09:17 AM #1388Newbie
- Join Date
- Feb 2013
- Posts
- 10
In my server libkeyutils.so.1 removed!!
my server and ssh and sites is down!!
please solution for back libkeyutils.so.1
CentOS 5.8
Thanks
-
02-26-2013, 10:16 AM #1389Web Hosting Guru
- Join Date
- Mar 2005
- Location
- Maine, USA
- Posts
- 311
Without shell access, your options are limited. Do you have remote console/KVM access from your host? If so, you could manually download the keyutils-lib package and install it.
yum install keyutils-libs
Run that command via remote console and reboot. Should restore ssh access. You should then investigate why the file got deleted and if your server has been infected.
-
02-26-2013, 10:19 AM #1390█► AllWorldIT ~ ISP / Hosting Provider / Government / Carrier Solutions
█► HostOnARope ~ 24/7 Support ● Shared Hosting ● Reseller Hosting ● VPS Servers
█► www.hostonarope.com | AllWorldIT Online Product Range | visit AllWorldIT.com
█► Official Proxmox Partner ~ UK/USA/ZA ● Support & SLA's Available
-
02-26-2013, 10:19 AM #1391Newbie
- Join Date
- Feb 2013
- Posts
- 10
-
02-26-2013, 10:29 AM #1392New Member
- Join Date
- Feb 2013
- Posts
- 4
Hello everybody,
I'm new to this community. I followed this thread for a couple of days now. I found it really interesting and at a top level discussion.
So I decided to join the community, tough, I can't really put something helpful into this problem.
I'm running a small webdesign and hostung company in germany. We've got 2 servers running centos and plesk panel.
At this moment I haven't noticed any break in attemps (rather than the normal abuse stuff). and my libkeyutils is still the original one.
You talked about how to secure ssh login and I came across this aricle today, maybe you find it intressting:
blog.duosecurity.com/2013/02/bypassing-googles-two-factor-authentication/
For the android and ios idea, I'm login into my servers at a daily use form a iphone and a android tablet.
(I switched off root and password login and ssh server is running on a different port.)
thanks guys, keep reading
best regards
Martin
-
02-26-2013, 10:55 AM #1393Web Hosting Evangelist
- Join Date
- Jan 2013
- Location
- Australia
- Posts
- 475
-
02-26-2013, 11:09 AM #1394Rockin' the beer gut
- Join Date
- May 2006
- Location
- NJ, USA
- Posts
- 6,645
-
02-26-2013, 05:36 PM #1395Web Hosting Guru
- Join Date
- Mar 2005
- Location
- Maine, USA
- Posts
- 311
-
02-26-2013, 05:41 PM #1396Junior Guru Wannabe
- Join Date
- Dec 2001
- Posts
- 55
-
02-26-2013, 06:14 PM #1397Aspiring Evangelist
- Join Date
- Dec 2004
- Location
- Netherlands
- Posts
- 384
cPanel, Inc. Announces Additional Internal Security Enhancements
This is a follow up on the status of the security compromise that cPanel, Inc. experienced on Thursday, February 21, 2013.
As mentioned in our email sent to cPanel Server Administrators who’ve opened a ticket with us in the past 6 months, on February 21 we discovered that one of the proxy servers we utilize in the technical support department had been compromised. The cPanel Security Team’s investigation into this matter is ongoing.
We’d like to relay additional details about the intrusion that we have gathered with you, and we want to explain what preventative measures we’re putting in place that will introduce additional layers of security to our new and existing systems, already in place. How the server was accessed and compromised is not clear, but we know a few key facts that we’re sharing.
Here’s what we know:
* The proxy machine compromised in this incident was, at the time, utilized to access customer servers by some of our Technical Analysts. It's intent was to provide a layer of security between local & remote workstations and customer servers.
* This proxy machine was compromised by a malicious third-party by compromising a single workstation used by one of our Technical Analysts.
* Only a small group of our Technical Analysts uses this particular machine for logins.
* There is no evidence that any sensitive customer data was exposed and there is no evidence that the actual database was compromised.
Here’s what we’re doing about it:
Documentation is now provided at: http://go.cpanel.net/checkyourserver which we encourage system administrators to use to determine the status of their machine.
We have restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. We have also been working on implementing multiple changes to our internal support systems and procedures as outlined for your information below.
* Our system will now generate and provide you with a unique SSH key for each new support ticket submitted.
* We are providing tools to authorize and de-authorize SSH keys and instructions on how to use them whenever you submit a ticket.
* Our system will generate a single-use username and password credentials for accessing WebHost Manager that are only valid while our staff is logged into your server.
* Additional enhancements are also planned behind the scene that should be transparent to our customers.
With these new layers of security in place, it is now possible for our Technical Analysts to service your support requests without you providing your server’s password for nearly all requests involving machines running our cPanel & WHM product going forward. However, we will still offer the ability to provide your password for server migrations, or in the event you cannot use SSH keys.
cPanel’s Internal Development Team has been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords you provide during the ticket submission process. We are testing this solution right now, and hope to have it fully implemented in the next few days.
cPanel, Inc. understands your concerns expressed over the last few days, and we very much appreciate the cooperation and patience you have provided us during this time as we work through all of this.
Thank you.
-
02-26-2013, 07:24 PM #1398Junior Guru Wannabe
- Join Date
- Jan 2002
- Location
- North
- Posts
- 95
a little help for anyone in the same boat
I must admit when this thing first broke over a week ago, I too ended up deleting the libkey file and then finding out I couldn't put it back , couldn't YUM & couldn't SSH.
What saved me? (I am telling the process in case anyone else can also benefit).
I had another cpanel server that was the exact same version and of course now the problem was to move the file over to the damaged server.
Luckily all my cpanel servers are on vmware and so I still had console access. But how to get the file over. Well, the cpanel was still working so I went into one of the test sites and the file upload was still working. So now it is on the disk but in the wrong place. A simple copy to the correct place using the console access did the trick. Implemented the soft link after that. Yum started working and then it was a simple case of yum reinstall keyutils-libs
-
02-26-2013, 08:35 PM #1399Web Hosting Master
- Join Date
- Mar 2005
- Location
- Ten1/0/2
- Posts
- 2,529
Great that CPanel have taken the time to respond and address the issue....
Not so great that on the published web page the commands that they show have errors in them that will potentially cause more problems for the more junior admins.
Specifically, the bit about changelogs for RPM's - they showCode:rpm -qp --changelog packagename
CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
Running Linux since 1.0.8 Kernel!
Providing Internet Services since 1995 and Hosting Since 2004
-
02-26-2013, 10:35 PM #1400Aspiring Evangelist
- Join Date
- Jan 2004
- Posts
- 370
I believe someone earlier confirmed that even CloudLinux boxes with CageFS enabled have been rooted?
How's this even possible when each user is jailed?
Wouldn't this indicate that either:
1) it's a major services (apache or exim for example) which runs as root by default is exploited remotely and then they replace the libs etc
or
2) possibly the Cloud Linux boses were compromised only because their login/passwords were stolen because someone logged onto them from an infected server?
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM