Page 58 of 61 FirstFirst ... 84855565758596061 LastLast
Results 1,426 to 1,450 of 1523
  1. #1426
    Join Date
    Jan 2012
    Location
    Truckee, CA
    Posts
    14

    Question

    Except for the thread "Backdoor imitating ssh on RH/Centos boxes" on the ArchLinux forum, there don't seem to be any US-CERT bulletins or CERT advistories documenting this issue:

    It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.
    There's been a lot of chatter about this issue but has there been any progress resolving this issue? e.g., Can anyone confirm that this issue is exclusive to hosts using the Exim MTA?

    Eric Pretorious
    Truckee, CA

  2. #1427
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by epretorious View Post
    Can anyone confirm that this issue is exclusive to hosts using the Exim MTA?
    Compromises on servers not running Exim have been confirmed. Also, the Exim that was bundled with cPanel was apparently not vulnerable to that remote DKIM exploit so there is an extremely high probability that these attacks are unrelated to Exim in regards to the point of entry.

  3. #1428
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    Quote Originally Posted by Patrick View Post
    Compromises on servers not running Exim have been confirmed.
    Yes, but could those compromises have been via stolen credentials/root login?

    Back to the thesis that these guys are sophisticated enough to use a variety of methods to get to root.

  4. #1429
    Again: All this guesses are senseless at some point.

    Only a monitored honeypot will gives us at this point the information we want.

    Or we accept that the current linux versions are insecure.

  5. #1430
    Join Date
    Jan 2012
    Location
    Truckee, CA
    Posts
    14

    Exclamation

    Quote Originally Posted by epretorious View Post
    Except for the thread "Backdoor imitating ssh on RH/Centos boxes" on the ArchLinux forum, there don't seem to be any US-CERT bulletins or CERT advistories documenting this issue:

    It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.
    There's been a lot of chatter about this issue but has there been any progress resolving this issue? e.g., Can anyone confirm that this issue is exclusive to hosts using the Exim MTA?
    Quote Originally Posted by Patrick View Post
    Compromises on servers not running Exim have been confirmed. Also, the Exim that was bundled with cPanel was apparently not vulnerable to that remote DKIM exploit so there is an extremely high probability that these attacks are unrelated to Exim in regards to the point of entry.
    Quote Originally Posted by brianoz View Post
    Yes, but could those compromises have been via stolen credentials/root login?

    Back to the thesis that these guys are sophisticated enough to use a variety of methods to get to root.
    Brian:

    You've taken Patrick's remark out of context and, therefore, your reasoning is incorrect: This proves nothing. Those compromises could have come from any number of vectors.

    All of this begs the question, however: Why hasn't there been a CERT bulletin or a CVE advisory?

    Eric Pretorious
    Truckee, CA

  6. #1431
    Join Date
    Jan 2012
    Location
    Truckee, CA
    Posts
    14

    Exclamation

    Quote Originally Posted by mmoserv View Post
    Again: All this guesses are senseless at some point.
    Agreed. This thread appears to be almost exclusively made up of idle speculation and hand-wringing.

    Quote Originally Posted by mmoserv View Post
    Or we accept that the current linux versions are insecure.
    I beg to differ. Linux itself is not likely the weakness, but rather one of the software packages included in the installation (e.g., PHP) and the contol panel's security posture (e.g., compatability with SELinux and/or AppArmor). Perhaps it would be more correct to accept the trade-off between convenience and security.

    Eric Pretorious
    Truckee, CA

  7. #1432
    Join Date
    Oct 2012
    Location
    Georgia
    Posts
    111
    Quick survey, anyone seen a rootkit being used to send spam through sshd involving a library called 'libkeyutils.so.1.9'?

    If so what OS did you see it on?
    Thankfully not a single one of our boxes have been compromised. We block port 22 and only give SSH access to certain IP Address. Password authorization is disabled because we use keys only.
    https://zuziko.com Learn WordPress and Web Development

  8. #1433
    Quote Originally Posted by epretorious View Post
    I beg to differ. Linux itself is not likely the weakness, but rather one of the software packages included in the installation (e.g., PHP) and the contol panel's security posture (e.g., compatability with SELinux and/or AppArmor). Perhaps it would be more correct to accept the trade-off between convenience and security.
    I know, i know
    My sentence was a clear teaser, of course.

    The big problem here is the root access by cpanel. At that point security is breached, unix security or not. Even more when you work with without one time logins and such.

    I for example run debian in minimal install, nginx only and dovecot/postfix minimal. SSH keys only access and even other ports. Accept my box with svn because it can't tunnel a port so far i know.

    The good point i such small system is, that you do not need AppArmor and othe higher level security. Because there is nothing
    high level to protect.

  9. #1434
    Quote Originally Posted by epretorious View Post
    Agreed. This thread appears to be almost exclusively made up of idle speculation and hand-wringing.

    I beg to differ. Linux itself is not likely the weakness, but rather one of the software packages included in the installation (e.g., PHP) and the contol panel's security posture (e.g., compatability with SELinux and/or AppArmor). Perhaps it would be more correct to accept the trade-off between convenience and security.

    Eric Pretorious
    Truckee, CA
    You're late. Gone with the wind, this thread's history. A memory of the past...

    But I guess you're still in time to add a few idle speculations of your own... Enjoy...

  10. #1435
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    Quote Originally Posted by epretorious View Post
    You've taken Patrick's remark out of context and, therefore, your reasoning is incorrect: This proves nothing. Those compromises could have come from any number of vectors.
    Eric,

    My comment was not at all trying to prove anything, merely making the point that I suspected these guys are collating results from a variety of intrusion methods - Exim may of course be one of them, as may password theft, as may old kernel vulnerabilities, etc. All attempts to find a single common entry vetcor to this point have failed, so that seems a reasonable conclusion.

  11. #1436

    SSH 1 ?

    I came across this subject on your web site trying to find out more about this issue.

    I use Webmin and noticed that I had enabled "Allow RSA (SSH 1) authentication?"

    now I recall from many years ago there was some issue with SSH 1
    am I right in that ?
    I have disabled SSH1 and allowed only SSH2 for SSH Authentication on my server.

    not sure if its an issue but wondering if anybody knows about it ?
    I do see that SSH 1 has a weaker encryption and possible attack mechansim.

    regards brian

  12. #1437
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,410
    Quote Originally Posted by ducnanbbd View Post
    I came across this subject on your web site trying to find out more about this issue.

    I use Webmin and noticed that I had enabled "Allow RSA (SSH 1) authentication?"

    now I recall from many years ago there was some issue with SSH 1
    am I right in that ?
    I have disabled SSH1 and allowed only SSH2 for SSH Authentication on my server.

    not sure if its an issue but wondering if anybody knows about it ?
    I do see that SSH 1 has a weaker encryption and possible attack mechansim.

    regards brian
    You're always better off using better encryption if you can do so. No harm in making things more secure (normally).

    SSH2 uses a bit more cpu and ram to code and decode, but the difference is so small that its almost not worthing talking about... ie... No worries.

    SSH2 will not prevent this root kit as there are those who have used it and still got infected.

    ▲ ▲

    WoltLab Dev

  13. #1438
    ok, thanks. I maybe thought SSH1 might be a possible backdoor (not necessarily this)

    I have some issues with spam through my serve but it doesn't appear to be this libkey issue

    Brian

  14. #1439

    *

    Is there a definitive answer as yet on how this gets in? I am told a patch has been released which suggests it is now known, but could not find any mention of it here amongst the 97 pages of discussion.

    Can anyone authoritatively summarise?

  15. #1440

    Question Summary??

    Well after reading some threads and this +97 pages blog I understand this:

    - Infection began mid february
    - 28 february cPanel announces compromised server.
    - Looks like a coincidence that lots of servers are cPanel driven.
    - I understand lots of non cPanel servers have also been compromised.
    - Libraries affected are most commonly on CloudLinux
    -Its very interesting that most of the servers had an opened ticket in cPanel Support
    - No ideas how to solve this or aovid this
    - No new contamination has been reported as far as I can see...

    My conclusion (if I understand this and sorry but I need to know if I got this right):

    - The most probable situation was that the compromised cPanel Proxy server was compromised and used to access the server to place rootkits. Thats it. From there the spread began.


    I got half rooted... my server runs behind a hw firewall with non standard SSH ports which only cPanel staff, DC and me can access. The server is infected but has never been SSH by any unauthorized person.

    I woulddeduct this is becouse I have the external firewall... and also this way there is no way that anyone could have used SSH nor WHM to access the server.... but an authorized server (cPanel).

    I see no other choices than to point them... Or why did they changed their support system so drastically? Its not a matter of proof, its a matter of probability.

    I think the true story will never go out.

  16. #1441
    Join Date
    Apr 2011
    Location
    Minneapolis
    Posts
    118
    Quote Originally Posted by luigidelgado View Post
    I see no other choices than to point them... Or why did they changed their support system so drastically? Its not a matter of proof, its a matter of probability.

    I think the true story will never go out.
    Servers not running cpanel were reportedly hacked as well.

    Half of the story is out already, I think the rest will get out eventually.

  17. #1442
    cPanel had access to all the servers of mine which got hit. Every single one had a ticket with cPanel support recently opened for it.

    Is the only way to sort the issue to reinstall the server still?

    Or has anyone been working on something to circumvent the need to do this?

  18. #1443
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,410
    Quote Originally Posted by Cryostasis View Post
    cPanel had access to all the servers of mine which got hit. Every single one had a ticket with cPanel support recently opened for it.

    Is the only way to sort the issue to reinstall the server still?

    Or has anyone been working on something to circumvent the need to do this?
    Let me try to answer this in philosophical way....

    The problem about this hack is the hacker becomes the root user. As root, you're GOD. And just like GOD, you can remake the world (server) in your imagine.

    Despite how advance science, even as far as we are today we do not know everything in the universe. And it is ever so likely that no matter how long we live, no matter how far we grow, and how much we learn overtime... We'll never know everything.

    In other words.... There is no way for you to know everything "God" has done, is doing, or will do to your "world" (server).

    LMAO .... This from an atheist.


    Sorry.... I had to poke fun at this. Its been asked so many times..... The answer is, NO. You must format and restore your sites, because there is no way of know what else could be there. We could cure X tomorrow and discover W, Y, Z, 1, 2, 3 ...ect... Was also added.

    ▲ ▲

    WoltLab Dev

  19. #1444

    *

    Quote Originally Posted by TheVisitors View Post
    Sorry.... I had to poke fun at this. Its been asked so many times..... The answer is, NO. You must format and restore your sites, because there is no way of know what else could be there. We could cure X tomorrow and discover W, Y, Z, 1, 2, 3 ...ect... Was also added.
    Brilliant answer! Made me laugh! Yeah I suspected as much -- just wanted to double check nothing had changed in the last couple of weeks before going into this.

    Thanks :-)

  20. #1445
    Join Date
    Oct 2005
    Posts
    397
    Quote Originally Posted by spendergrsec View Post
    Hi guys,

    I was busy for a bit (dinner, etc). Looking further into the backdoor, it's doing GOT modifications of the sshd it gets loaded into in order to hijack certain functions. For instance, it hooks:
    syslog
    __syslog_chk
    write
    audit_log_user_message
    audit_log_acct_message

    Presumably in response to receiving a specific password/username, for the one backdoor this is "XXXdYZulavB", it will temporarily disable logging via syslog, __syslog_chk, audit_log_user_message, and audit_log_acct_message. The write() hook will also prevent logging via stderr.

    The two I looked at were sending login credentials to UDP port 53 on 78.47.139.110. I need to investigate further to see what exactly that includes, but it's clearly at least sending the login name/UID, and hostname connected to.

    The attacker has three commands available: Xver, Xcat, and Xbnd. Xver displays the backdoor version, Xbnd causes the connect() hook in the backdoor to bind to a specific address before performing the connect. The Xcat command involves the shared memory in some way.

    Of interesting note is that the backdoor would crash as-is with the PAX_MPROTECT feature in grsecurity enabled. If the system wasn't enforcing PaX flags with RBAC, they could just disable the feature on sshd, however. For code hooking in several locations, the region involved has its protections changed to read/write/execute -- something disallowed on a grsecurity kernel and optionally logged. The write following the RWX mprotect would fail, causing a crash of sshd.

    If anyone has a 32bit version of the backdoor they could mail me, it would speed up analysis a bit as I'm doing it all statically.

    -Brad
    Brad, how did you find they were using XOR 81h encoding?

  21. #1446
    Join Date
    Aug 2010
    Posts
    233
    Hi,

    cPanel, at first, was saying this was not related to their software... ...this was correct.

    ...this was related to the fact one of their support tech was having a trojan on he's computer.

    We got 2 servers infected by this trojan, right after we opened a ticket.

    We submitted another ticket to cPanel, wondering what was this new libkey file, and 2 days later, they sent an email to all their customers saying since the last 4 months, everyone who were requesting support and were helped by some specific agents were infected by this trojan.

    See this for more infos : http://cpanel.net/cpanel-inc-announc...-enhancements/

    ...all you need (and can) do in regards to this is transfer all your files to a new server, and change all your passwords.

    We did this and no longer have any problem.

  22. #1447
    Join Date
    Aug 2010
    Posts
    233
    just think twice before you provide ssh access to someone else on your server, and you will avoid such problems

    ...we no longer outsource support since that time, and request email only support.

  23. #1448
    Join Date
    Aug 2004
    Posts
    167
    cPanel were working on a ticket and they (and me) were supprised one of the servers was brute forcing the DNS Only server (and locking itself out).

    This was back in October/November!!

    Seems it has been rolling around for a very long time.

    In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?

  24. #1449
    Join Date
    May 2002
    Location
    Raleigh, NC
    Posts
    714
    Quote Originally Posted by o-dog View Post
    In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?
    Review your firewall rules closely. Only allow incoming traffic on your firewall to ports that you need to have open to the public. Restrict connections to your SSH port to only authorized source IPs.

  25. #1450
    Join Date
    Mar 2005
    Location
    Morocco
    Posts
    56
    So long story short! there is no real solution whatsoever for this problem? We ignore how it got there, We ignore how to get *effeciently* rid of it, and worst! even if we opt for an Os reload, we may get reinfected! That's like the killed with a spoon video.

    The funny part is when you contacted cPanel, they say we can't do anything on your server as it's compromised, when we follow their checkyourserver thing, the server doesn't appear to be compromised whatsoever. Although, cPanel may be the ultimate cause for this injection in first place. It's like you got a food poisoning in a restaurant, and when you go back to the same restaurant, they won't serve food to you because you are already *infected*.

    CloudLinux was kind enough to have a closer look themselves at this, and they figured out that the server is not compromised.

    Today the hackers are sending out spam from the servers, what if they decide to do something else with it!

    Hamza
    http://www.Genious.net/ - Beyond Perpections
    1st ICANN Accredited Registrar in North Africa - Shared, Cloud and Dedicated Hosting.
    Email : Sales@Genious.net

Page 58 of 61 FirstFirst ... 84855565758596061 LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •