Page 59 of 61 FirstFirst ... 949565758596061 LastLast
Results 1,451 to 1,475 of 1523
  1. #1451
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Hamza, the general consensus among the experts of this forum is that it was most likely a localized PC infection that resulted in the compromises. That's how cPanel was infected. There is no reason to suspect a zero day exploit in any of the services right now.

    If someone has as server that was 100% for sure compromised, the best advise would be to reinstall all workstations that access the server, reinstall the server and make sure Java is disabled as that is the most likely culprit that was exploited. Some people in this thread initially said that was a stupid theory about localized PC infections and when they finally did a virus scan of their PC they found some stuff related to backdoors known for stealing credentials and setting up VNC like backdoors.

    A few other suggestions wouldn't be to disable password authentication and restrict SSH to certain IP ranges, if possible.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  2. #1452
    Join Date
    Jan 2010
    Posts
    34
    right noq cent os 5 and cent os 6 both 32 and 64 bit are affected.. i'm under attack of this fujing rootkit..

    debian 6 is secured by this rootkit..

    once i install cent os my password gets hacked within 3 minutes aprox..

  3. #1453
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by simmer14 View Post
    right noq cent os 5 and cent os 6 both 32 and 64 bit are affected.. i'm under attack of this fujing rootkit..

    debian 6 is secured by this rootkit..

    once i install cent os my password gets hacked within 3 minutes aprox..
    Are you using the same password for every install?
    What os is your workstation?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #1454
    Join Date
    Jan 2010
    Posts
    34
    Quote Originally Posted by Steven View Post
    Are you using the same password for every install?
    What os is your workstation?
    i use very complex alpha numeric passwords.. diffrent on every install..

    Cent OS 6 and 5 64bit

    Debian 6 is absolutely fine.. not even a single attempt as failed login.. as i mentioned in my other thread that these attacks are automated and are working on a server.. and attack comes from diffrent machines and hosts... i even saw failed attempts from a kimsufi.. i guess once ur box or slice is rooted then it is used to attack on others to root them.. right now the way to survive is debain 6 for me..

  5. #1455
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by simmer14 View Post
    i use very complex alpha numeric passwords.. diffrent on every install..

    Cent OS 6 and 5 64bit

    Debian 6 is absolutely fine.. not even a single attempt as failed login.. as i mentioned in my other thread that these attacks are automated and are working on a server.. and attack comes from diffrent machines and hosts... i even saw failed attempts from a kimsufi.. i guess once ur box or slice is rooted then it is used to attack on others to root them.. right now the way to survive is debain 6 for me..
    In theory its possible for remnants to remain resident in memory.
    Have you tried pulling the power completely to the machine prior to reload?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #1456

    RAM after powerloss is from a few seconds to about 2 minutes

    Quote Originally Posted by Steven View Post
    In theory its possible for remnants to remain resident in memory.
    Have you tried pulling the power completely to the machine prior to reload?
    This video shows how long RAM keeps its contents after power is cut. It isn't about viruses but disk encryption key stealing. http://www.youtube.com/watch?v=JDaicPIgn9U it is relevant in that it shows you that RAM under normal conditions keeps it memory in tact for almost 2 minutes.
    www.WKDedi.com
    Specializing in Dedicated Server Hosting!
    Contact us today at
    sales@wkdedi.com

  7. #1457
    Join Date
    Jan 2010
    Posts
    34
    yes i did shutdown the vps for hours bt it still got rooted when i reinstall cent os 6 on it.. i'm on debain 6 now btw..

  8. #1458
    Join Date
    Oct 2011
    Posts
    188
    Is it OpenVZ vps? or KVM/Xen?

    Maybe the images used by your provider isn't clean.

    Can you tell us your vps provider?

  9. #1459
    Join Date
    Jan 2010
    Posts
    34
    Quote Originally Posted by Arnie21 View Post
    Is it OpenVZ vps? or KVM/Xen?

    Maybe the images used by your provider isn't clean.

    Can you tell us your vps provider?
    yes arnie it is an OpenVZ vps.. and i notified my vps provider they did not said anything about the infected iso's i did told them to check the hash of the files and compare them.. WKDedi already told me to do this..

  10. #1460
    Join Date
    Jan 2010
    Posts
    34
    i could not read all the 98 pages and i do not want to bump the thread but i would like to know does readhat security team knows about this rootkit are they aware about this exploit ?

    http://securityblog.redhat.com/

  11. #1461
    Join Date
    Jan 2010
    Posts
    34
    i can not edit my post but what do you guys think about this ?

    https://rhn.redhat.com/errata/RHSA-2013-0519.html

  12. #1462
    Join Date
    Jan 2010
    Posts
    34
    the attack on my vps is coming from 180.96.23.74 this ip and password got changed to to chauthtok by pam_unix

    anyone intrested in talking a look at my vps ? this was a new vps which just got rooted again.

    [root@server1 ~]# lastb
    guestgue ssh:notty 180.96.23.74 Sun May 12 05:11 - 05:11 (00:00)
    guestgue ssh:notty 180.96.23.74 Sun May 12 05:11 - 05:11 (00:00)
    guestgue ssh:notty 180.96.23.74 Sun May 12 05:11 - 05:11 (00:00)

    on 4th attempt he/it logged in..

    http://us.hive.sshhoneypot.com/iplog...p=180.96.23.74
    Last edited by simmer14; 05-12-2013 at 05:46 AM.

  13. #1463
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by simmer14 View Post
    i can not edit my post but what do you guys think about this ?

    https://rhn.redhat.com/errata/RHSA-2013-0519.html
    We discussed this earlier in the thread. It only affects Redhat 6 / Centos 6 and its not enabled by default:

    Note that the pam_ssh_agent_auth module is not used in Red Hat Enterprise
    Linux 6 by default.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  14. #1464
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    One important point worth making:

    No evidence has been found that there was actually an SSH vulnerability. Rather, the system itself was hacked through other root-level vulnerabilities, and as a result of that hack, a backdoor added to SSH.

    Again, there is no evidence that this hack was accomplished through a weakness in SSH.

  15. #1465
    Join Date
    Jan 2010
    Posts
    34
    no update ?

  16. #1466
    Join Date
    Jan 2010
    Posts
    34
    This is an email I just received from SolusLabs.

    PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSION OF SOLUSVM, INCLUDING BETA VERSIONS.

    In the last few hours a security exploit has been found. This email is to inform you of a temporary fix to eliminate this exploit whilst the issue is patched and transferred to our file servers for release.

    Instructions:

    You will need root SSH access to your master server. You are then required to delete the following file:

    /usr/local/solusvm/www/centralbackup.php

    Example:
    rm -f /usr/local/solusvm/www/centralbackup.php

    Once the file is deleted the exploit can no longer be used. This file only exists on the master server and the slaves will not be affected.

    You will receive a follow-up email once the patch versions are available.

    Regards,
    Soluslabs Security Team


    could this be the exploit used here ?

  17. #1467
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    It could sure, but not likely the cause of this problem.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  18. #1468

    SSHD Rootkit Rolling around

    No. The most recent SolusVM exploit the email was about involved the centralbackup.php file in SolusVM. It has a vulnerability in it that caused massive security issues. RamNode was exploited by it. If you run SolusVM UPDATE IMMEDIATELY!!! That exploit is VERY DANGEROUS.

  19. #1469
    A description of the exploit is here:
    http://localhost.re/p/solusvm-11303-vulnerabilities

    Incredible that such a code quality is part of anything people put on their server. This is even not amateur standard. Its just plain wrong.

    Its also not a php issue, because they forwarded the unfiltered web server data from the calling connection to mysql.

  20. #1470
    Hello to all users

    I find accidentally this topic and read some pages of it and i get very worried about this rootkit exploit.

    I am a newbie in Server Admin and i want to see if have this rootkit in my 2 Linode VPS with Centos.

    How can i check if i have this rootkit?

  21. #1471
    Join Date
    Jul 2006
    Location
    Australia
    Posts
    3,809
    Quote Originally Posted by prgs1971 View Post

    How can i check if i have this rootkit?
    You will have to read the thread to find more answers to your question.
    One way posted was http://www.cloudlinux.com/blog/clnews/sshd-exploit.php

  22. #1472
    @BeZazz

    This topic have 98 pages and i have read about 10 of it with people discussing that i am better server admin than the other... take a break!!!

    This not seems the final solution and i don't have cloudlinux installed.

    If anyone can point me the final solution for this problem i will appreciate very much

  23. #1473
    Join Date
    Jul 2006
    Location
    Australia
    Posts
    3,809
    Quote Originally Posted by prgs1971 View Post
    @BeZazz
    i don't have cloudlinux installed.
    I am sure that tester will work, especially if you are running CentOS.

  24. #1474
    I have tested it and return
    Code:
    [root@server ~]#  wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash 
    Cannot find compromised library
    I hope that is really clean...

  25. #1475
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    You need to check and make sure you do not have compromised openssh packages too.
    That was an older variant of this problem.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Page 59 of 61 FirstFirst ... 949565758596061 LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •