Results 1,426 to 1,450 of 1523
Thread: SSHD Rootkit Rolling around
-
03-02-2013, 08:29 PM #1426Newbie
- Join Date
- Jan 2012
- Location
- Truckee, CA
- Posts
- 14
Except for the thread "Backdoor imitating ssh on RH/Centos boxes" on the ArchLinux forum, there don't seem to be any US-CERT bulletins or CERT advistories documenting this issue:
It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.
Eric Pretorious
Truckee, CA
-
03-02-2013, 08:34 PM #1427Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Compromises on servers not running Exim have been confirmed. Also, the Exim that was bundled with cPanel was apparently not vulnerable to that remote DKIM exploit so there is an extremely high probability that these attacks are unrelated to Exim in regards to the point of entry.
-
03-03-2013, 04:24 AM #1428Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
-
03-03-2013, 07:32 AM #1429Newbie
- Join Date
- Feb 2013
- Posts
- 8
Again: All this guesses are senseless at some point.
Only a monitored honeypot will gives us at this point the information we want.
Or we accept that the current linux versions are insecure.
-
03-03-2013, 07:49 PM #1430Newbie
- Join Date
- Jan 2012
- Location
- Truckee, CA
- Posts
- 14
Brian:
You've taken Patrick's remark out of context and, therefore, your reasoning is incorrect: This proves nothing. Those compromises could have come from any number of vectors.
All of this begs the question, however: Why hasn't there been a CERT bulletin or a CVE advisory?
Eric Pretorious
Truckee, CA
-
03-03-2013, 08:03 PM #1431Newbie
- Join Date
- Jan 2012
- Location
- Truckee, CA
- Posts
- 14
Agreed. This thread appears to be almost exclusively made up of idle speculation and hand-wringing.
I beg to differ. Linux itself is not likely the weakness, but rather one of the software packages included in the installation (e.g., PHP) and the contol panel's security posture (e.g., compatability with SELinux and/or AppArmor). Perhaps it would be more correct to accept the trade-off between convenience and security.
Eric Pretorious
Truckee, CA
-
03-03-2013, 10:45 PM #1432WHT Addict
- Join Date
- Oct 2012
- Location
- Georgia
- Posts
- 111
Quick survey, anyone seen a rootkit being used to send spam through sshd involving a library called 'libkeyutils.so.1.9'?
If so what OS did you see it on?██ https://zuziko.com Learn WordPress and Web Development
-
03-04-2013, 06:46 AM #1433Newbie
- Join Date
- Feb 2013
- Posts
- 8
I know, i know
My sentence was a clear teaser, of course.
The big problem here is the root access by cpanel. At that point security is breached, unix security or not. Even more when you work with without one time logins and such.
I for example run debian in minimal install, nginx only and dovecot/postfix minimal. SSH keys only access and even other ports. Accept my box with svn because it can't tunnel a port so far i know.
The good point i such small system is, that you do not need AppArmor and othe higher level security. Because there is nothing
high level to protect.
-
03-04-2013, 09:41 AM #1434WHT Addict
- Join Date
- Jan 2013
- Posts
- 115
-
03-04-2013, 05:25 PM #1435Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Eric,
My comment was not at all trying to prove anything, merely making the point that I suspected these guys are collating results from a variety of intrusion methods - Exim may of course be one of them, as may password theft, as may old kernel vulnerabilities, etc. All attempts to find a single common entry vetcor to this point have failed, so that seems a reasonable conclusion.
-
03-09-2013, 03:07 AM #1436New Member
- Join Date
- Mar 2013
- Posts
- 2
SSH 1 ?
I came across this subject on your web site trying to find out more about this issue.
I use Webmin and noticed that I had enabled "Allow RSA (SSH 1) authentication?"
now I recall from many years ago there was some issue with SSH 1
am I right in that ?
I have disabled SSH1 and allowed only SSH2 for SSH Authentication on my server.
not sure if its an issue but wondering if anybody knows about it ?
I do see that SSH 1 has a weaker encryption and possible attack mechansim.
regards brian
-
03-09-2013, 08:09 AM #1437Web Hosting Master
- Join Date
- Oct 2010
- Location
- My world u just live here
- Posts
- 1,410
You're always better off using better encryption if you can do so. No harm in making things more secure (normally).
SSH2 uses a bit more cpu and ram to code and decode, but the difference is so small that its almost not worthing talking about... ie... No worries.
SSH2 will not prevent this root kit as there are those who have used it and still got infected.
-
03-09-2013, 09:48 PM #1438New Member
- Join Date
- Mar 2013
- Posts
- 2
ok, thanks. I maybe thought SSH1 might be a possible backdoor (not necessarily this)
I have some issues with spam through my serve but it doesn't appear to be this libkey issue
Brian
-
03-11-2013, 10:02 PM #1439New Member
- Join Date
- Mar 2013
- Posts
- 1
Is there a definitive answer as yet on how this gets in? I am told a patch has been released which suggests it is now known, but could not find any mention of it here amongst the 97 pages of discussion.
Can anyone authoritatively summarise?
-
03-12-2013, 01:50 AM #1440Newbie
- Join Date
- Nov 2012
- Posts
- 9
Summary??
Well after reading some threads and this +97 pages blog I understand this:
- Infection began mid february
- 28 february cPanel announces compromised server.
- Looks like a coincidence that lots of servers are cPanel driven.
- I understand lots of non cPanel servers have also been compromised.
- Libraries affected are most commonly on CloudLinux
-Its very interesting that most of the servers had an opened ticket in cPanel Support
- No ideas how to solve this or aovid this
- No new contamination has been reported as far as I can see...
My conclusion (if I understand this and sorry but I need to know if I got this right):
- The most probable situation was that the compromised cPanel Proxy server was compromised and used to access the server to place rootkits. Thats it. From there the spread began.
I got half rooted... my server runs behind a hw firewall with non standard SSH ports which only cPanel staff, DC and me can access. The server is infected but has never been SSH by any unauthorized person.
I woulddeduct this is becouse I have the external firewall... and also this way there is no way that anyone could have used SSH nor WHM to access the server.... but an authorized server (cPanel).
I see no other choices than to point them... Or why did they changed their support system so drastically? Its not a matter of proof, its a matter of probability.
I think the true story will never go out.
-
03-12-2013, 10:09 PM #1441WHT Addict
- Join Date
- Apr 2011
- Location
- Minneapolis
- Posts
- 118
-
03-13-2013, 12:16 AM #1442New Member
- Join Date
- Mar 2013
- Posts
- 2
cPanel had access to all the servers of mine which got hit. Every single one had a ticket with cPanel support recently opened for it.
Is the only way to sort the issue to reinstall the server still?
Or has anyone been working on something to circumvent the need to do this?
-
03-13-2013, 04:37 AM #1443Web Hosting Master
- Join Date
- Oct 2010
- Location
- My world u just live here
- Posts
- 1,410
Let me try to answer this in philosophical way....
The problem about this hack is the hacker becomes the root user. As root, you're GOD. And just like GOD, you can remake the world (server) in your imagine.
Despite how advance science, even as far as we are today we do not know everything in the universe. And it is ever so likely that no matter how long we live, no matter how far we grow, and how much we learn overtime... We'll never know everything.
In other words.... There is no way for you to know everything "God" has done, is doing, or will do to your "world" (server).
LMAO .... This from an atheist.
Sorry.... I had to poke fun at this. Its been asked so many times..... The answer is, NO. You must format and restore your sites, because there is no way of know what else could be there. We could cure X tomorrow and discover W, Y, Z, 1, 2, 3 ...ect... Was also added.
-
03-13-2013, 06:33 AM #1444New Member
- Join Date
- Mar 2013
- Posts
- 2
-
03-18-2013, 05:40 PM #1445Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
-
03-21-2013, 11:47 PM #1446Junior Guru
- Join Date
- Aug 2010
- Posts
- 233
Hi,
cPanel, at first, was saying this was not related to their software... ...this was correct.
...this was related to the fact one of their support tech was having a trojan on he's computer.
We got 2 servers infected by this trojan, right after we opened a ticket.
We submitted another ticket to cPanel, wondering what was this new libkey file, and 2 days later, they sent an email to all their customers saying since the last 4 months, everyone who were requesting support and were helped by some specific agents were infected by this trojan.
See this for more infos : http://cpanel.net/cpanel-inc-announc...-enhancements/
...all you need (and can) do in regards to this is transfer all your files to a new server, and change all your passwords.
We did this and no longer have any problem.
-
03-21-2013, 11:49 PM #1447Junior Guru
- Join Date
- Aug 2010
- Posts
- 233
just think twice before you provide ssh access to someone else on your server, and you will avoid such problems
...we no longer outsource support since that time, and request email only support.
-
03-23-2013, 04:50 PM #1448WHT Addict
- Join Date
- Aug 2004
- Posts
- 167
cPanel were working on a ticket and they (and me) were supprised one of the servers was brute forcing the DNS Only server (and locking itself out).
This was back in October/November!!
Seems it has been rolling around for a very long time.
In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?
-
03-23-2013, 05:24 PM #1449Web Hosting Master
- Join Date
- May 2002
- Location
- Raleigh, NC
- Posts
- 714
-
03-31-2013, 08:34 AM #1450Junior Guru Wannabe
- Join Date
- Mar 2005
- Location
- Morocco
- Posts
- 56
So long story short! there is no real solution whatsoever for this problem? We ignore how it got there, We ignore how to get *effeciently* rid of it, and worst! even if we opt for an Os reload, we may get reinfected! That's like the killed with a spoon video.
The funny part is when you contacted cPanel, they say we can't do anything on your server as it's compromised, when we follow their checkyourserver thing, the server doesn't appear to be compromised whatsoever. Although, cPanel may be the ultimate cause for this injection in first place. It's like you got a food poisoning in a restaurant, and when you go back to the same restaurant, they won't serve food to you because you are already *infected*.
CloudLinux was kind enough to have a closer look themselves at this, and they figured out that the server is not compromised.
Today the hackers are sending out spam from the servers, what if they decide to do something else with it!
Hamzahttp://www.Genious.net/ - Beyond Perpections
1st ICANN Accredited Registrar in North Africa - Shared, Cloud and Dedicated Hosting.
Email : Sales@Genious.net
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM