Results 1,251 to 1,275 of 1523
Thread: SSHD Rootkit Rolling around
-
02-22-2013, 05:55 AM #1251Newbie
- Join Date
- Feb 2013
- Posts
- 12
-
02-22-2013, 08:23 AM #1252Newbie
- Join Date
- Apr 2008
- Location
- Romania
- Posts
- 18
@adebenc are hacked servers which have nothing to do with cPanel, using Pleks, Directadmins, some servers using no cpanels at all etc.
But if I would be from Plesk or Directadmin, for sure I will start thinking that probably this was a large attack to all hosting-cpanels-providers... and probably RBN abused all of them, like they did with all major companies...
-
02-22-2013, 08:31 AM #1253Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
02-22-2013, 08:42 AM #1254Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-22-2013, 09:14 AM #1255New Member
- Join Date
- Feb 2013
- Posts
- 4
Those cPanel computers were affected by a threat, surely this threat has infected other computers (desktops), however at least 80% of servers got compromised because of the cPanel technical team computers infection. Every time the cPanel team login to an server , the server got compromised imediatly (1-2hours) (this is proven).
is already known that this thread was found to more desktops from people , and they probable login from their desktop to their server and got their server compromised (in the same way how cpanel technical team affected the servers).
We should be happy that the CentOS platform is not the cause of the issues and CentOS operation system should not louse reputation in this situation , they have no fault.
good luck
-
02-22-2013, 09:28 AM #1256Web Hosting Guru
- Join Date
- Mar 2005
- Location
- Maine, USA
- Posts
- 311
A good tip when contacting support of any type and they require login credentials:
Change the password to something new before giving it to them, then after the issue is resolved, change it again to something new. Of if you can, create a temporary user account then disable or delete the account after the support issue is resolved.
-
02-22-2013, 09:30 AM #1257New Member
- Join Date
- Feb 2013
- Posts
- 4
-
02-22-2013, 09:47 AM #1258New Member
- Join Date
- Feb 2013
- Posts
- 3
The question is, affects only the 1.9? I have a file with version 1.3 or directly 1.
If I run the rpm, the message does not tell me, show me the version of libkeyutils.
For example:
[root @ xxx ~] # rpm-qf / lib64/libkeyutils.so.1.3
Keyutils-libs-1.4-4.el6.x86_64
I understand that in this case, is free from problems.
That if, in Plesk, all in the chroot folder, there is a / var/www/vhosts/chroot/lib64/libkeyutils.so.1 if displays.
example:
root @ xxx ~] # rpm-qf / var/www/vhosts/chroot/lib64/libkeyutils.so.1
the / var/www/vhosts/chroot/lib64/libkeyutils.so.1 not owned by any package
But maybe it has nothing to do ... because as I say, with all plesk, different versions, one installed until yesterday.
-
02-22-2013, 10:01 AM #1259Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Am I the only one who didn't get an email from Cpanel?
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
02-22-2013, 10:02 AM #1260Wanna be a part?
- Join Date
- May 2004
- Location
- World Wide Web
- Posts
- 1,195
If you did not raised any support ticket with them in last 6 months, you might not have recd. the mail
≡ RVH Cloud - Every day hosting solutions since 2003≡
★ Shared Hosting ★ Reseller Hosting ★ VPS ★ Dedicated Servers ★ True 24 x 7 x 365 Support
-
02-22-2013, 10:06 AM #1261Web Hosting Master
- Join Date
- Sep 2002
- Location
- Toronto, ON
- Posts
- 3,446
Jean-Pierre Abboud / I'm the TekGURU
www.Gotekky.com / Managed hosting solutions / AS63447
Web Hosting, VPS Hosting, Dedicated Servers
-
02-22-2013, 10:06 AM #1262Newbie
- Join Date
- Feb 2011
- Posts
- 14
-
02-22-2013, 10:07 AM #1263Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-22-2013, 10:11 AM #1264Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
02-22-2013, 10:17 AM #1265Junior Guru Wannabe
- Join Date
- May 2010
- Posts
- 44
Hi all.
Off topic:
This night I've detected a distribuited attack against port 21 of a server of mine. Almost all probing come from dedicated server belonging to some small ad medium hosting company. I'm on the way to forward abuse reports to all.
-
02-22-2013, 10:22 AM #1266WHT Addict
- Join Date
- Jan 2013
- Posts
- 115
-
02-22-2013, 10:35 AM #1267Web Hosting Master
- Join Date
- Mar 2006
- Location
- Johannesburg,South Africa
- Posts
- 601
South African Web Hosting - http://www.SoftDux.co.za || SA WebHostingTalk - http://www.webhostingtalk.co.za
-
02-22-2013, 10:43 AM #1268Web Hosting Master
- Join Date
- Oct 2010
- Location
- My world u just live here
- Posts
- 1,410
So we've still not figured out the cause and so no one has yet found a prevention.
The infected workstation theory does not apply to us, as we use a LIVE CD with Linux to boot from, with no physical hard drive. Its a fresh & clean system upon every boot.
-
02-22-2013, 10:44 AM #1269New Member
- Join Date
- Feb 2013
- Posts
- 3
Hello,
root@rs lib64]# strings /var/www/vhosts/chroot/lib64/libkeyutils.so.1
@@2@:
I P
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
keyctl
syscall
keyctl_assume_authority
keyctl_set_timeout
keyctl_set_reqkey_keyring
keyctl_negate
keyctl_instantiate
keyctl_read
keyctl_read_alloc
malloc
realloc
keyctl_search
keyctl_unlink
keyctl_link
keyctl_clear
keyctl_describe
keyctl_describe_alloc
keyctl_setperm
keyctl_chown
keyctl_revoke
keyctl_update
keyctl_join_session_keyring
keyctl_get_keyring_ID
request_key
add_key
libdl.so.2
libc.so.6
_edata
__bss_start
_end
libkeyutils.so.1
KEYUTILS_0.3
KEYUTILS_1.0
GLIBC_2.2.5
t$(H
T$0H
D$ L
t$ H
t$ H
Not in cpanel servers, but in Plesk.
The Cpanel in theory I have them all without problems.
-
02-22-2013, 10:45 AM #1270Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Here's the thing,
When you have 1000 people saying one thing and 1 person (you) saying something else... that's your problem. I say that in the politest way possible, but it's clear for a lot of people and a lot of companies that the point of compromise was infection through a workstation.
You either have a super unique situation that none of us will ever figure out, or you're trolling to be different. Either way, good luck with that.
-
02-22-2013, 10:52 AM #1271Web Hosting Master
- Join Date
- Oct 2010
- Location
- My world u just live here
- Posts
- 1,410
Actually, if you read the thread.... And I understand 80+ pages is a lot.....
.... You'll notice not everyone agrees with the workstation theory either.
In fact there are dozens of post where people said they scanned their workstation and found no infection. Some of those individuals even wiped out (formated) their workstation and their servers, but still got infected.
So I guess that is "all" our problem?
No disrespect, but people like you should not give support to anyone else.
-
02-22-2013, 11:09 AM #1272Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
02-22-2013, 11:10 AM #1273Disabled
- Join Date
- Mar 2012
- Location
- United States
- Posts
- 107
I went into WinSCP and did not see the file. I am using cpanel with centos5.
-
02-22-2013, 11:12 AM #1274New Member
- Join Date
- Feb 2013
- Posts
- 3
Thanks!
I can not find any infected file, can I tell where to see it? To buy it with others. For example, I have a 1.3 that I say this completely different:
I P
{?Nq
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
keyctl
syscall
keyctl_session_to_parent
keyctl_get_security
keyctl_get_security_alloc
malloc
realloc
keyctl_assume_authority
keyctl_set_timeout
keyctl_set_reqkey_keyring
keyctl_negate
keyctl_instantiate
keyctl_read
keyctl_read_alloc
keyctl_search
keyctl_unlink
keyctl_link
keyctl_clear
keyctl_describe
keyctl_describe_alloc
keyctl_setperm
keyctl_chown
keyctl_revoke
keyctl_update
keyctl_join_session_keyring
keyctl_get_keyring_ID
request_key
add_key
libdl.so.2
libc.so.6
_edata
__bss_start
_end
libkeyutils.so.1
KEYUTILS_0.3
KEYUTILS_1.0
KEYUTILS_1.3
GLIBC_2.2.5
ATSubH
D$`H
D$ H
L$8L
D$@H
T$(H
fff.
t$ H
fffff.
fff.
t$ H
fff.
t$ H
fffff.
fff.
ffffff.
-
02-22-2013, 11:17 AM #1275Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM