Results 1,451 to 1,475 of 1523
Thread: SSHD Rootkit Rolling around
-
03-31-2013, 09:15 AM #1451Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Hamza, the general consensus among the experts of this forum is that it was most likely a localized PC infection that resulted in the compromises. That's how cPanel was infected. There is no reason to suspect a zero day exploit in any of the services right now.
If someone has as server that was 100% for sure compromised, the best advise would be to reinstall all workstations that access the server, reinstall the server and make sure Java is disabled as that is the most likely culprit that was exploited. Some people in this thread initially said that was a stupid theory about localized PC infections and when they finally did a virus scan of their PC they found some stuff related to backdoors known for stealing credentials and setting up VNC like backdoors.
A few other suggestions wouldn't be to disable password authentication and restrict SSH to certain IP ranges, if possible.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
05-07-2013, 02:10 PM #1452Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
right noq cent os 5 and cent os 6 both 32 and 64 bit are affected.. i'm under attack of this fujing rootkit..
debian 6 is secured by this rootkit..
once i install cent os my password gets hacked within 3 minutes aprox..
-
05-07-2013, 06:22 PM #1453Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-07-2013, 11:30 PM #1454Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
i use very complex alpha numeric passwords.. diffrent on every install..
Cent OS 6 and 5 64bit
Debian 6 is absolutely fine.. not even a single attempt as failed login.. as i mentioned in my other thread that these attacks are automated and are working on a server.. and attack comes from diffrent machines and hosts... i even saw failed attempts from a kimsufi.. i guess once ur box or slice is rooted then it is used to attack on others to root them.. right now the way to survive is debain 6 for me..
-
05-07-2013, 11:34 PM #1455Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-07-2013, 11:59 PM #1456Newbie
- Join Date
- Mar 2013
- Posts
- 26
RAM after powerloss is from a few seconds to about 2 minutes
This video shows how long RAM keeps its contents after power is cut. It isn't about viruses but disk encryption key stealing. http://www.youtube.com/watch?v=JDaicPIgn9U it is relevant in that it shows you that RAM under normal conditions keeps it memory in tact for almost 2 minutes.
-
05-08-2013, 05:55 AM #1457Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
yes i did shutdown the vps for hours bt it still got rooted when i reinstall cent os 6 on it.. i'm on debain 6 now btw..
-
05-08-2013, 09:52 AM #1458Junior Guru
- Join Date
- Oct 2011
- Posts
- 188
Is it OpenVZ vps? or KVM/Xen?
Maybe the images used by your provider isn't clean.
Can you tell us your vps provider?
-
05-08-2013, 10:48 AM #1459Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
-
05-11-2013, 01:59 PM #1460Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
i could not read all the 98 pages and i do not want to bump the thread but i would like to know does readhat security team knows about this rootkit are they aware about this exploit ?
http://securityblog.redhat.com/
-
05-11-2013, 02:40 PM #1461Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
i can not edit my post but what do you guys think about this ?
https://rhn.redhat.com/errata/RHSA-2013-0519.html
-
05-12-2013, 05:41 AM #1462Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
the attack on my vps is coming from 180.96.23.74 this ip and password got changed to to chauthtok by pam_unix
anyone intrested in talking a look at my vps ? this was a new vps which just got rooted again.
[root@server1 ~]# lastb
guestgue ssh:notty 180.96.23.74 Sun May 12 05:11 - 05:11 (00:00)
guestgue ssh:notty 180.96.23.74 Sun May 12 05:11 - 05:11 (00:00)
guestgue ssh:notty 180.96.23.74 Sun May 12 05:11 - 05:11 (00:00)
on 4th attempt he/it logged in..
http://us.hive.sshhoneypot.com/iplog...p=180.96.23.74Last edited by simmer14; 05-12-2013 at 05:46 AM.
-
05-12-2013, 12:33 PM #1463Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-14-2013, 02:18 AM #1464Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
One important point worth making:
No evidence has been found that there was actually an SSH vulnerability. Rather, the system itself was hacked through other root-level vulnerabilities, and as a result of that hack, a backdoor added to SSH.
Again, there is no evidence that this hack was accomplished through a weakness in SSH.
-
05-27-2013, 12:58 PM #1465Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
no update ?
-
06-17-2013, 09:10 PM #1466Junior Guru Wannabe
- Join Date
- Jan 2010
- Posts
- 34
This is an email I just received from SolusLabs.
PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSION OF SOLUSVM, INCLUDING BETA VERSIONS.
In the last few hours a security exploit has been found. This email is to inform you of a temporary fix to eliminate this exploit whilst the issue is patched and transferred to our file servers for release.
Instructions:
You will need root SSH access to your master server. You are then required to delete the following file:
/usr/local/solusvm/www/centralbackup.php
Example:
rm -f /usr/local/solusvm/www/centralbackup.php
Once the file is deleted the exploit can no longer be used. This file only exists on the master server and the slaves will not be affected.
You will receive a follow-up email once the patch versions are available.
Regards,
Soluslabs Security Team
could this be the exploit used here ?
-
06-18-2013, 12:03 AM #1467Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
It could sure, but not likely the cause of this problem.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-18-2013, 12:20 AM #1468Newbie
- Join Date
- Apr 2013
- Posts
- 22
SSHD Rootkit Rolling around
No. The most recent SolusVM exploit the email was about involved the centralbackup.php file in SolusVM. It has a vulnerability in it that caused massive security issues. RamNode was exploited by it. If you run SolusVM UPDATE IMMEDIATELY!!! That exploit is VERY DANGEROUS.
-
06-18-2013, 02:54 PM #1469Newbie
- Join Date
- Feb 2013
- Posts
- 8
A description of the exploit is here:
http://localhost.re/p/solusvm-11303-vulnerabilities
Incredible that such a code quality is part of anything people put on their server. This is even not amateur standard. Its just plain wrong.
Its also not a php issue, because they forwarded the unfiltered web server data from the calling connection to mysql.
-
08-08-2013, 09:54 AM #1470Newbie
- Join Date
- Jan 2013
- Posts
- 28
Hello to all users
I find accidentally this topic and read some pages of it and i get very worried about this rootkit exploit.
I am a newbie in Server Admin and i want to see if have this rootkit in my 2 Linode VPS with Centos.
How can i check if i have this rootkit?
-
08-08-2013, 09:59 AM #1471
You will have to read the thread to find more answers to your question.
One way posted was http://www.cloudlinux.com/blog/clnews/sshd-exploit.php
-
08-08-2013, 10:09 AM #1472Newbie
- Join Date
- Jan 2013
- Posts
- 28
@BeZazz
This topic have 98 pages and i have read about 10 of it with people discussing that i am better server admin than the other... take a break!!!
One way posted was http://www.cloudlinux.com/blog/clnews/sshd-exploit.php
If anyone can point me the final solution for this problem i will appreciate very much
-
08-08-2013, 10:12 AM #1473
-
08-08-2013, 01:41 PM #1474Newbie
- Join Date
- Jan 2013
- Posts
- 28
I have tested it and return
Code:[root@server ~]# wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash Cannot find compromised library
-
08-08-2013, 02:13 PM #1475Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
You need to check and make sure you do not have compromised openssh packages too.
That was an older variant of this problem.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM