Results 1,026 to 1,050 of 1523
Thread: SSHD Rootkit Rolling around
-
02-20-2013, 09:38 PM #1026Web Hosting Master
- Join Date
- Oct 2010
- Location
- My world u just live here
- Posts
- 1,410
^ That argument can be applied to anything connect to the Internet. Because nothing is 100% guaranteed hack / crack proof. If there is a will there is always away.
My question is not toward "can" something be hacked / cracked.... That would an illogical argument because the answer is yes. Everything can be.
My question was at this time does this single issue currently affect Debian? My findings so far would suggest at least for the moment, no. But I would like to know if anyone else (one of WHT more experienced and well know users) could confirm or deny if this single issue at this moment affect Debian.
I believe it is a valid (even if you do not).
-
02-20-2013, 09:49 PM #1027Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
If I may... I don't IMHO think that's entirely true, you are drawing a distinction that is not yet qualified. There is evidence within this thread that a root-kit on an office PC is the root of the issue (a key-logger). The targeting of Linux boxes with the data captured from such a key-logger is not proof that Linux is vulnerable, but a choice of the hacker, surely?
-
02-20-2013, 10:33 PM #1028Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
02-20-2013, 10:42 PM #1029Junior Guru
- Join Date
- Apr 2011
- Posts
- 235
Ramnet, thanks for posting this!
Steven & Nenelod - thanks for all the hard work you've put into investigating this!
May I ask whether either of you have tested which antivirus/malware scanner that is able to detect this keylogger?
That will be very helpful for all those managing servers to advise their clients to do a thorough scan of their PCs/laptops with scanners that can actually detect this rogue keylogger.
-
02-20-2013, 10:45 PM #1030Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-20-2013, 10:52 PM #1031Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-20-2013, 10:54 PM #1032WHT Addict
- Join Date
- Dec 2009
- Posts
- 139
I have several antivirus installed (on different machines) all are up to date. If someone sends me the malware I can scan it for you.
-
02-20-2013, 10:55 PM #1033Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
scanners ran
Im currently doing third scan on the same box .
This is the only box I could have been infected on in my option.
I found nothing with
spybot
nothing with MS Malware scanner
now running malware bytes
will advice soon as it finishes.
Only thing I have confirmed thus far is I do have over 3 million files on my box
-
02-20-2013, 10:59 PM #1034Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
It's been previously stated that 'Malwarebytes Anti-Malware' picked it up. If you have an infected box that you have accessed from the scanned PC, could you please post the scan output from that PC here so the community can see it? If you have any malware found results of course.
Last edited by matbz; 02-20-2013 at 11:02 PM. Reason: appended "If you have any malware found results of course."
-
02-20-2013, 10:59 PM #1035Junior Guru
- Join Date
- Apr 2011
- Posts
- 235
-
02-20-2013, 11:05 PM #1036Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
Well, you must remember that the earliest reports of this infection go all the way back to August 2012. That's a huge 7 month window of possibilities. The infection on your server may have been laying dormant for months.
You also have to keep in mind that it is possible one of your workstation computers was infected and cleaned up ages ago, and you have since forgotten about it.→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 11:11 PM #1037Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-20-2013, 11:18 PM #1038Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
Third Scan complete
Malwarebytes found nothing
MS malware scan nothing
Spybot scan nothing on to forth
-
02-20-2013, 11:29 PM #1039Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
Your right on forget
-
02-20-2013, 11:30 PM #1040Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-20-2013, 11:34 PM #1041Temporarily Suspended
- Join Date
- Feb 2013
- Posts
- 15
Steven, Scott, mattbz, and everyone else involved in this. Thank you for your selfless efforts and dedication towards this cause. Mattbz, thankfully, I was able to restore my missing libraries and get my server back online thanks to a very good friend of mine. Just giving you an update on that as well.
Thank you all
-
02-20-2013, 11:36 PM #1042Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
I though I was Alone
-
02-20-2013, 11:38 PM #1043Junior Guru Wannabe
- Join Date
- Feb 2013
- Location
- /dev/null aka Ohio
- Posts
- 61
-
02-20-2013, 11:41 PM #1044Junior Guru Wannabe
- Join Date
- Feb 2013
- Location
- /dev/null aka Ohio
- Posts
- 61
Steve ? are we sure this is from malware ?
Steve are we 100% sure this is from malware?
reason I ask (trying to catch up on literally 70 pages now of this )
We use MAC's
Not a PC in our office.
So trying to figure out if it is malware how we got hit.
One pain on a MAC is that it does not have the best way to do maldetect but is not as easy to infect (yet) {hoping i dont start a war on pc vs. mac - not my intention}
Anyhow - Steve sent you an email to follow up as well.
-
02-20-2013, 11:46 PM #1045Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-20-2013, 11:51 PM #1046Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
thats it
-
02-21-2013, 12:02 AM #1047Junior Guru Wannabe
- Join Date
- Feb 2013
- Location
- /dev/null aka Ohio
- Posts
- 61
root users?
that is an interesting thought.
Only users who have root access are for us
1. Me (on a MAC)
2. two staffers (also on MAC)
3. cPanel
4. IPMI and KVM but we connect to those on a MAC.
I am concerned that if this was a MalWare issue HOW DO WE FIND IT ON A MAC.
Thus far Eset has not picked it up. Neither has MacScan from Secure Mac
Our MACs do not have JAVA and they do not have Flash.
(makes browsing some sites a bit more fun that way )
We have one workstation that does have JAVA which we use to connect to a kvm on Proxmox - but that is all it does.
does not browse the web just to be safe otherwise.
-
02-21-2013, 12:12 AM #1048Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I want to put emphasis on this.
We do not know if its 100% malware, but it is one of the likely suspects because on what we know and the wide variety of servers it affects..
Also, for mac lovers. You are not infallible to malware.
And this is exactly what I was talking about when I mentioned back connect a few days ago.
New Mac malware opens secure reverse shell
http://reviews.cnet.com/8301-13727_7...reverse-shell/
With something like this, it does not matter if you firewall off your server, they can login through your own mac and it looks like YOU logged in.Last edited by Steven; 02-21-2013 at 12:16 AM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-21-2013, 12:15 AM #1049Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
02-21-2013, 12:45 AM #1050Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
FYI, if anyone is running DD-WRT at your home or office you can block the malware's payload by enabling dnsmasq for local DNS, then redirecting remote DNS traffic to the local gateway.
http://www.dd-wrt.com/wiki/index.php/OpenDNS
You can take it a step further and redirect + log redirects with these extra firewall rules in Administration -> Commands -> Firewall.
Code:iptables -t nat -A PREROUTING -i br0 -d ! $(nvram get lan_ipaddr) -p udp --dport 53 -j LOG --log-prefix "REDIRECT: " iptables -t nat -A PREROUTING -i br0 -d ! $(nvram get lan_ipaddr) -p tcp --dport 53 -j LOG --log-prefix "REDIRECT: " iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr) iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Last edited by FastServ; 02-21-2013 at 12:58 AM.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM