Results 951 to 975 of 1523
Thread: SSHD Rootkit Rolling around
-
02-20-2013, 05:13 PM #951Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
-
02-20-2013, 05:16 PM #952WHT Addict
- Join Date
- Aug 2004
- Posts
- 142
flopunctro would you please mail ur findings to kre80r [at] gmail
-
02-20-2013, 05:18 PM #953Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
-
02-20-2013, 05:22 PM #954Web Hosting Evangelist
- Join Date
- Aug 2008
- Posts
- 536
You'll find the libproxy updates here:
https://rhn.redhat.com/errata/RHSA-2013-0271.html
The Advisory of that page is RHSA-2013:0271. Now search for that here:
https://rhn.redhat.com/errata/rhel-server-6-errata.html
Edit: in other words there is nothing to worry about. Just look better
-
02-20-2013, 05:22 PM #955Junior Guru Wannabe
- Join Date
- Dec 2001
- Posts
- 55
-
02-20-2013, 05:39 PM #956New Member
- Join Date
- Feb 2013
- Posts
- 2
-
02-20-2013, 05:40 PM #957Newbie
- Join Date
- Apr 2008
- Location
- Romania
- Posts
- 18
Well, this account is better if is older? Now my trust increased with +1?
The ips you post above, I posted them few pages back, if I can't be trusted, then why are you using them? Filtering those IP's wont fix your server, sooner or later some more IP's will popup. Like today ip 93.170.106.210 appeared, so you can add that too.
And yes is "smart" if you block countries If you have no clue what RNB is, then here is some news for you. I'm pretty sure they have abused machines from where they can connect to your server on each country on this planet, probably even North Pole... Thats why I want to find this bug, because they are skilled compared with most sysadmins.
-
02-20-2013, 05:43 PM #958Newbie
- Join Date
- Feb 2013
- Posts
- 25
Dont tar us all with the same brush. Some of us have just forgotten our login details and our old rescue email accounts are connected to long expired domain names
http://www.webhostingtalk.com/member.php?u=125335
-
02-20-2013, 05:47 PM #959Newbie
- Join Date
- Apr 2008
- Location
- Romania
- Posts
- 18
And actually plexy had the best input/debug in last 24 hours. So, any more news for tonight from that abused server?
@flopunctro as you know the problem is not the backdooring right now, is how the attacker downloaded the backdoor on the server and more important how he got root on such a big variety of configurations.
-
02-20-2013, 05:48 PM #960Junior Guru Wannabe
- Join Date
- Dec 2001
- Posts
- 55
-
02-20-2013, 05:50 PM #961New Member
- Join Date
- Feb 2013
- Posts
- 1
flopunctro,
Could you send me a copy?
jake.alexander at runbox dot com
-
02-20-2013, 05:53 PM #962Newbie
- Join Date
- Feb 2013
- Posts
- 25
So, any more news for tonight from that abused server?
But, I had not changed the root password (on purpose as I was PCAP'ing). So if someone had compormised the root password for this machine, then why would they not try that and instead just try the password embedded in libkeyutils.so.1.9? Putting on a white hat for a second, if I had 2 passwords, a one from a rootkit and a one from a compromised user, I would not try just one and then stop when I get no where. I try them both. That didnt happen.
Compromised root passwords is a good possibility, but for some reason its just not gelling with me right now. Call it a hunch.
-
02-20-2013, 05:57 PM #963New Member
- Join Date
- Feb 2013
- Posts
- 1
InfosecNewsBot info
The InfosecNewsBot sent out this tweet which has links to this thread as well as some other good information. It looks like some malware scanners are starting to pick this up:
Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9: Someone shared a sample of the Linux root... bit.ly/12O9kKL #infosec #malware
-
02-20-2013, 05:57 PM #964WHT Addict
- Join Date
- Oct 2011
- Location
- England, UK
- Posts
- 101
I am 100% with Steve on his theory of local machine hacking. Reading this thread in Chrome, e-mail from CSF:
"lfd on [server]: WHM/cPanel root access alert from [my home IP]"
SSH inbound is firewalled on this server, this came in via WHM. No tab open to that server in Chrome, no passwords saved in Chrome. Lastpass never used. I have a local file with passwords in it (yeah, insecure!) and likely had the password to that server in my clipboard.
Windows 8 x64, Panda Antivrus, MalwareBytes Pro (realtime shields active). TeamViewer, Last.fm, Spotify, FileZilla, Putty, Trillian, MS Word, Winamp, Dropbox running.
Chrome Plugins: default + Java (latest). Chrome Extensions: Checker Plus for Gmail, Google Docs, Google Tasks (by Google), PageRank Status, Speed Dial, Thin Scroll Bar, TweetDeck, Yet another flags.
Any other info you need to know, please ask.» Xagga Hosting - extra-value UK-based web host
» VPSnodes.net - the UK's ultimate VPS provider
» t: 020 33 973 775 | e: contact[at]ellogroup.com
-
02-20-2013, 06:01 PM #965Junior Guru Wannabe
- Join Date
- Sep 2012
- Posts
- 52
Use Adblocker
-
02-20-2013, 06:01 PM #966Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Orlando, Florida
- Posts
- 89
Hey all I'm posting this based on the suggestion of someone who suggested I modify the script a bit to user auditctl, which I've done.
Anyone interested can get it here:
https://www.ericgillette.com/clients/exploit-cleanup
Code:wget https://www.ericgillette.com/clients/exploit-cleanup
Code:md5sum ./exploit-cleanup
Then:
Code:sh ./exploit-cleanup
This will attempt to move the file into a directory where if requested, you can supply the file to requestors here.
In addition, it will attempt to symlink to an existing library on your system that *may* or *may not* be accurate since system configurations, and versions vary somewhat -- that said you can execute the commands in the script individually if you prefer, otherwise you use it at your own risk.
Ironically, I've received multiple messages from various users who have thanked me for creating the script, incorporating some of the suggestions of others, and for maintaining the script up to this point, despite the negativity and unhelpful attitudes of some.
That said, to those that have expressed their opinions concerning the script prior, your opinions will have no effect on what I decide to do, so it's probably better to just keep them to yourself, rather than cluttering the thread with more of your opinions.
As I said prior, agree to disagree, and move on -- find something new to have an opinion about, you'll be better off.
To the users who privately thanked me, and asked me to continue maintaining the script -- thank you very much, and I'll continue to do the best I can, while the others investigate, because I do not have the time to investigate on an ongoing basis like some of the other guys do.
I do have some quarantined files both 32-bit and 64-bit if anyone needs them, though I have posted them previously -- just PM me and I'll be happy to provide the files in both 32-bit and 64-bit models.Server Security | Disaster Planning | PCI Compliance | Virtualization
http://www.ericgillette.com
800-665-2370
-
02-20-2013, 06:05 PM #967Newbie
- Join Date
- Apr 2008
- Location
- Romania
- Posts
- 18
As far as I can see right now, on the logs I monitor the bot does no care about logging clearly he does not verify if the password still works.
So, the hacker probably had no root password, but he logged in just once to install and after he does not care anymore about comming back unless the libkey will ping him with a new user/pass or something. Or he has priority on new hacked and not blacklisted servers
So please, who have abused servers make a cron monitoring script to check for /home/tmpp and if exists to stop the networking on that server so you can preserve whatever the botnet drops there. (and hopefully the servers will be hacked again)Last edited by demil; 02-20-2013 at 06:10 PM.
-
02-20-2013, 06:37 PM #968WHT Addict
- Join Date
- Aug 2004
- Posts
- 142
Old sample I got from flupcntro similar to what we are facing now a sample of history shows stuff like :
perl -e 'print "abcdefghijklmnopqrstuvwxyz\nbiz\ninfo\nnet\n";' >> 1.tmp
which matches parts of the de-obfuscatd code we have
-
02-20-2013, 06:51 PM #969Web Hosting Evangelist
- Join Date
- Jan 2013
- Location
- Australia
- Posts
- 475
Anyone noticed this ?
Code:[~]# for i in `du -a /lib64/ | grep -v '@' | awk {'print $2'}`; do rpm -qf $i | grep 'not owned by any package'; done file /lib64/libkeyutils.so.1.3.2 is not owned by any package file /lib64/security/pam_hulk.so is not owned by any package
-
02-20-2013, 06:52 PM #970Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
-
02-20-2013, 06:52 PM #971Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
Seriously, you need to stop distributing that script before you break anyone elses system.
If you had any sense your script would do basic sanity checks (checking that /lib64/libkeyutils.so.1.3 or /lib/libkeyutils.so.1.3 exists) before moving a critical (if infected) system library and symlinking to another library that may or may not exist.
You have already broken several people's systems due to your lack of sanity checks.
Something like this:
Code:if [ -f $exploit64 ] ; then echo "$exploit64 was found on this system. . ." if [ ! -f /lib64/libkeyutils.so.1.3 ]; then echo "You are infected, but this script can not help you further. Review your system manually." exit 0 fi <<rest of your script here>> if [ -f $exploit32 ] ; then echo "$exploit32 was found on this system. . ." if [ ! -f /lib/libkeyutils.so.1.3 ]; then echo "You are infected, but this script can not help you further. Review your system manually." exit 0 fi <<rest of your script here>>
→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 06:58 PM #972Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
I am as well.
nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.
He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.
IP's all match the suspect IP's here.
If you have a server affected by this, your workstation has been compromised.→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 06:58 PM #973Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
Layoff the script already, we're all fellow members of the opensource community, a community built on people writing scripts and code and freely distrubuting it for other people to use and add to. If you want to modify that script, or create your own script you're more than welcome to do so.
-
02-20-2013, 07:03 PM #974Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 32
Thanks for this, I concur as well as malware was detected on my local PC after running scans. (Appears the malware entered through some sort of java exploit at least on my machine) unsure if this is what actually caused the compromise in my case however it makes sense.
Do you have any more info on this rootkit keylogger so i can have a look over it?
-
02-20-2013, 07:05 PM #975Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
His script will take down any system that is not a CentOS 6.x or RHEL 6.x system.
His script as it stands right now is more dangerous to the stability of your server than the exploit he is trying to fix.
All because he can't be bothered to do a basic one line sanity check.→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM