Results 251 to 275 of 1523
Thread: SSHD Rootkit Rolling around
-
02-18-2013, 03:43 PM #251Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
-
02-18-2013, 03:45 PM #252Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
If so, what is your output of strings /lib64/security/pam_hulk.so please?
-
02-18-2013, 03:46 PM #253Junior Guru Wannabe
- Join Date
- Mar 2012
- Posts
- 57
Pam_hulk is fine that is cpanel's brute force module, which is not installed via yum so will give a warning.
-
02-18-2013, 03:47 PM #254Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
What's interesting is that the RPM was built on that day:
http://rpmfind.net/linux/RPM/centos/....el6.i686.html
-
02-18-2013, 03:47 PM #255Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Same as yours:
IO7+
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
pam_hulk_version
openlog
vsyslog
closelog
pam_get_item
readline
fileno
read
feof
get_hulk_key
fopen
fclose
disconnect_hulk
memset
sigfillset
sigaction
alarm
socket
memcpy
connect
snprintf
strlen
write
tell_hulk
strncmp
hulk_enabled
pam_sm_authenticate
pam_get_user
time
pam_sm_setcred
libc.so.6
__xstat
libpam.so.0
_edata
__bss_start
_end
LIBPAM_1.0
GLIBC_2.2.5
ATSubH
cphulk_version_2.7
PAM-hulk
timeout while connecting to cphulkd
/var/cpanel/cphulkd/keys/pam
error getting hulk key
error setting sigalrm
opening socket
/var/run/cphulkd.sock
failed to connect stream socket
error reading welcome from stream socket
Unexpected welcome messge from cphulkd: %s
AUTH pam %s
error reading auth status from stream socket
error logging into hulkd: %s
PAM_AUTHENTICATE system %s %s 1 %ld 0 0 %s
PAM_SETCRED system %s %s 1 %ld 0 0 %s
err writing to stream socket
error reading PAM_? from stream socket
Brute force detection active: %s
/var/cpanel/hulkd/enabled
/var/cpanel/cphulk_enable
crond
-
02-18-2013, 03:49 PM #256Web Hosting Master
- Join Date
- Jun 2001
- Location
- Princeton
- Posts
- 1,029
I think pam_hulk is part of cPanel hulkd, and not a hack at all.
Igor Seletskiy
CEO @ Cloud Linux Inc
http://www.cloudlinux.com
CloudLinux -- The OS that can make your Shared Hosting stable
-
02-18-2013, 03:50 PM #257WHT Addict
- Join Date
- Jan 2013
- Posts
- 115
I believe that file exists on previous hacked servers. Please confirm.
-
02-18-2013, 03:51 PM #258Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-18-2013, 03:53 PM #259Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
We can confirm that the pam module used by CPanel is not been exploited. We have the same strings match up on a clean box not being used to do spam nor have we seen any activity hinting to an exploit.
I think it would be safe if we don't jump to conclusions here without posting verbose logs from snoopy ect.. to backup findings.
On a sidenote, I think it would be a good idea if everyone was running snoopy till we find the root cause.
On a random note: I think it is safe to say though we should expect the attackers to start randomizing the file at some point to attempt to remain more hidden or change their tactics up some.Last edited by TravisT-[SSS]; 02-18-2013 at 03:58 PM.
-
02-18-2013, 04:02 PM #260Aspiring Evangelist
- Join Date
- Apr 2008
- Location
- Tulsa, OK, USA
- Posts
- 376
-
02-18-2013, 04:04 PM #261Junior Guru
- Join Date
- Mar 2005
- Posts
- 187
@mattmackman
Did you check the cron log?
Attacker checked the cron log 3 times like he was waiting for something to happend in that specific hour...
# cat /var/log/cron | egrep -i Feb 18 07
What was it?
-
02-18-2013, 04:04 PM #262Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-18-2013, 04:14 PM #263Web Hosting Master
- Join Date
- Mar 2006
- Location
- Johannesburg,South Africa
- Posts
- 601
Can I add:
If the server doesn't have the original /lib/libkeyutils.so.1.3 or /lib64/libkeyutils.so.1.3 (CentOS 5.9 has /lib/libkeyutils.so.1.2?) then SSH, FTP, wget, in fact anything that requires this login library will fail and the server owner won't be able to login to his server again. I haven't tested this with console access but remote access will be "broken". So your script may want to check for the original file first and probably re-install the keyutils-libs-1.2-1.el5 or (corresponding for the OS in question) library.South African Web Hosting - http://www.SoftDux.co.za || SA WebHostingTalk - http://www.webhostingtalk.co.za
-
02-18-2013, 04:17 PM #264Junior Guru Wannabe
- Join Date
- Oct 2011
- Location
- West Palm Beach, FL
- Posts
- 52
Hey Travis, so far our servers seam ok, no hacks, but I do have one server on CentOS 5.9 x64 that SSH wont respond, and wont restart, although the service shows as up and running in WHM under service status, any thoughts on that?
Adding snoopy sounds like a good idea, any special instructions in setting it up, or is it an install and it works sort of thing?
Also I wanted to thank the community of brilliant minds here working on this as well as the help of the cPanel, Cloud Linux and CSF staff, but my question is where the f*#k is Red hat on this? It seams like it has been narrowed down to their distro only and they are AWOL in these discussions.██ Lead Dog Graphic Studio, LLC - Custom Designed Websites
██ Custom Web Design | Professional WordPress Design | Responsive Web Design
██ Come see why we are the Lead Dog when it comes to web design and awesome customer service.
-
02-18-2013, 04:19 PM #265Web Hosting Master
- Join Date
- Jun 2001
- Location
- Princeton
- Posts
- 1,029
I cannot blame RedHat here, as I am pretty sure no one here licenses OS directly from them.
CloudLinux & CentOS are not RHEL. So, we cannot really blame them for not acting.Igor Seletskiy
CEO @ Cloud Linux Inc
http://www.cloudlinux.com
CloudLinux -- The OS that can make your Shared Hosting stable
-
02-18-2013, 04:29 PM #266Junior Guru Wannabe
- Join Date
- Oct 2011
- Location
- West Palm Beach, FL
- Posts
- 52
I didn't blame them, I thanked them for being here. I asked where was Red Hat in this, you are right, no one licenses from them, however they are the ones capable of plugging the hole, so yes they need to be involved.
██ Lead Dog Graphic Studio, LLC - Custom Designed Websites
██ Custom Web Design | Professional WordPress Design | Responsive Web Design
██ Come see why we are the Lead Dog when it comes to web design and awesome customer service.
-
02-18-2013, 04:36 PM #267Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
The PTRACE flaw is probably unrelated to all of this, and as mentioned earlier, for that flaw to work there has to be ideal timing conditions within the kernel and it doesn't appear to be easily exploitable. Yes it's a flaw, but it doesn't look like a priority right now based on the degree of difficulty to make it work... so I kind of understand RedHat not dropping what they are doing to fix it.
-
02-18-2013, 05:24 PM #268Junior Guru
- Join Date
- Jul 2007
- Location
- Florida
- Posts
- 244
-
02-18-2013, 05:31 PM #269Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
-
02-18-2013, 05:51 PM #270Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Congratulations to the CSF team for the fast response, but CSF 5.76 caused us huge network issues, although our servers were absolutely clean and not infected by this exploit.
It was blocking network connections from IP addresses not existing in the firewall rules, rendering our DNS cluster unusable, bringing down our billing and monitoring systems and blocking traffic from a lot of visitors.
Fortunately we had kept the installation files of version 5.71 so we uninstalled the new version 5.76 and reinstalled 5.71.
Sorry but we will not use CSF for scanning the exploit discussed in this topic.
Rendering an entire network of servers unreachable to 50% of the world, to protect from an exploit is not a solution.
ThanksLast edited by NetworkPanda; 02-18-2013 at 06:03 PM.
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
02-18-2013, 05:52 PM #271Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-18-2013, 05:59 PM #272Junior Guru
- Join Date
- Jul 2007
- Location
- Florida
- Posts
- 244
-
02-18-2013, 06:06 PM #273Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
After what happened, we will not take the risk with any new CSF version, we will keep 5.71 which has been working fine for us for ages.
Let's hope their CXS malware scan tool gets updated soon to scan for the exploit, as we are also using it and it is proved to be better than CSF when used for malware detection.Last edited by NetworkPanda; 02-18-2013 at 06:11 PM.
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
02-18-2013, 06:14 PM #274Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
-
02-18-2013, 06:15 PM #275Web Hosting Master
- Join Date
- Nov 2002
- Location
- Oklahoma
- Posts
- 702
Your issue with CSF had nothing to do with the malware scanning portion of it, it just happened to be included in the same update. The problem was the attempt at switching to conntrack which has since been effectively reverted in 5.78. Obviously it would have been better had this not occurred but refusing to update going forward is a bit much. If anything, disable automatic updates and test them in a pre-production environment before deploying them.
██ Dathorn, Inc. - Premium cPanel/WHM Hosting since 2002! Check Out Our Blog!
██ Experience the Dathorn Difference! - andrew@dathorn.com
██ LiteSpeed | Clustered DNS | CloudLinux | CageFS | KernelCare | Imunify360
██ Pure SSD Storage | Off-Server & Off-site Backups | Softaculous | SpamExperts
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM