Results 976 to 1,000 of 1523
Thread: SSHD Rootkit Rolling around
-
02-20-2013, 07:06 PM #976Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 07:07 PM #977Newbie
- Join Date
- Sep 2004
- Posts
- 11
-
02-20-2013, 07:09 PM #978Newbie
- Join Date
- Jan 2013
- Posts
- 20
so what's the best way to fix this infected? my server has infected
-
02-20-2013, 07:11 PM #979Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 07:11 PM #980Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
-
02-20-2013, 07:13 PM #981Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
-
02-20-2013, 07:14 PM #982Newbie
- Join Date
- Jan 2013
- Posts
- 20
-
02-20-2013, 07:15 PM #983Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
I already provided him code to use so his script won't damage systems it wasn't designed for. Since people are linking to his script, and since his script (or any other script for that matter) doesn't actually fix the issue anyway, I won't be writing one myself.
You have been rooted. An OS Reload is the only fix.→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 07:17 PM #984Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
-
02-20-2013, 07:17 PM #985Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
What malware is infesting desktop
What malware is infesting the desktop I have scanner many times find none. can someone elaborate on what it is how to remove or suggest another tool to look for it?
-
02-20-2013, 07:20 PM #986Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-20-2013, 07:20 PM #987Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
-
02-20-2013, 07:21 PM #988Web Hosting Master
- Join Date
- Sep 2002
- Location
- Toronto, ON
- Posts
- 3,446
Jean-Pierre Abboud / I'm the TekGURU
www.Gotekky.com / Managed hosting solutions / AS63447
Web Hosting, VPS Hosting, Dedicated Servers
-
02-20-2013, 07:22 PM #989Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
This is from about 8 hours ago:
Code:<nenolod> interesting <nenolod> we found a rootkit on tortoiselabs office equipment <nenolod> running windows 7 <nenolod> and our OVH creds were changed from that machine <steven> oh noes the h4x <nenolod> i wonder if it is related to SSHD thing <steven> good question <steven> get to work <steven> :P <nenolod> i have the binaries, i intend to look at them in a bit with idapro <nenolod> btw <nenolod> the rootkit <nenolod> was sending keystrokes as DNS requests <nenolod> to the same russian IP <steven> which ip <steven> what did you use to pickup the rootkit <nenolod> the 78.x nameserver ip <steven> gotcha <nenolod> i used tcpdump while typing into the keyboard on the errant machine <nenolod> i then disconnected it from the network :P <nenolod> rabbit:/home/nenolod# apk audit --system <nenolod> M /lib/libkeyutils.so.1 -> /lib/libkeyutils.so.1.9 <nenolod> ? /lib/libkeyutils.so.1.9 <nenolod> well, that's concerning <nenolod> and, /tmp contains a copy of openssh source <steven> even the great neno has been h4x <nenolod> this is new <nenolod> and it is a honeypot <nenolod> it's supposed to be h4x <nenolod> the concerning part is that they seem to build the rootkit on the machine <nenolod> observation: why would sshd link against libkeyutils.so? <nenolod> ran apk fix <steven> kernel key management <ramnet> nenolod, did you access your honeypot from the workstation that had the keylogger on it? <nenolod> as a matter of fact, yes! <ramnet> so, you've pretty much confirmed that's what the cause of the hack is then <steven> nenolod would you be willing to pass me the windows rootkit? <nenolod> steven, yeah as soon as i have a chance to get the machine network-accessible again
→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 07:23 PM #990New Member
- Join Date
- Feb 2013
- Posts
- 2
That is what my gut told me and I hope this is indeed the case...
The only thing that doesn't make sense to me is I have a client with 3 CentOS/RHEL 5 cPanel servers, one of them is infected with this, the others are not.
They all have the same configuration, the client logs into all three servers pretty consistently from the same workstation I would expect all three of them to be compromised.
Of course there are other variables at play here...
Just trying to wrap my head around if this is indeed 100% a local workstation issue.
Thanks all for the work you guys have done on this.
Hopefully some sort of AV signature will be made to detect this shortly.
-
02-20-2013, 07:24 PM #991Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
What scanner are you using?
First if it is something like Norton or God forbid Mcafee then forget it. First thing a good java infection does is plant itself in and hides from what ever virus scanner you have installed on the system so it becomes useless at finding it. Download a new scanner I like Avast myself since it was the only one to reliable detect the Gumbler virus when it was first out. Disable your current scanner and let the new one scan the system. Don't trust what you already have installed.
-
02-20-2013, 07:28 PM #992Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-20-2013, 07:31 PM #993Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
-
02-20-2013, 07:51 PM #994Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 07:58 PM #995Junior Guru Wannabe
- Join Date
- Feb 2013
- Posts
- 97
-
02-20-2013, 08:02 PM #996Web Hosting Master
- Join Date
- Sep 2002
- Location
- Toronto, ON
- Posts
- 3,446
Can anyone confirm if servers without CSF have been infected ?
Jean-Pierre Abboud / I'm the TekGURU
www.Gotekky.com / Managed hosting solutions / AS63447
Web Hosting, VPS Hosting, Dedicated Servers
-
02-20-2013, 08:03 PM #997Junior Guru Wannabe
- Join Date
- Nov 2012
- Posts
- 79
It doesn't have to be a local computer that could be infected. Somebody earlier mentioned that it was possible that techs at cPanel (for example) could be compromised:
I say these because a previous post ringed a bell for me: there is a guy here that sent his root password to CPanel support, and a few days later his server was compromised. Maybe CPanel had some kind of data leak ?
-
02-20-2013, 08:05 PM #998Junior Guru Wannabe
- Join Date
- Sep 2012
- Posts
- 52
-
02-20-2013, 08:06 PM #999Virtually Flawless ;)
- Join Date
- Apr 2009
- Location
- USA / UK
- Posts
- 4,577
That's correct.
Any workstation used to login to any given server is an attack vector.
That includes people with multiple computers at their home or office, people you hire for server management duties, datacenter techs logging in, and anyone else that had your server's login info on their computer and used it.Last edited by ramnet; 02-20-2013 at 08:11 PM.
→ RAM Host -- USA Premium & Budget Linux Hosting
█ Featuring Powerful cPanel Shared Hosting
█ & Premium Virtual Dedicated Servers
→ Follow us on Twitter
-
02-20-2013, 08:07 PM #1000Web Hosting Master
- Join Date
- Sep 2002
- Location
- Toronto, ON
- Posts
- 3,446
<<snipped>>
So far we have had a few infections the only constant(most likely a coincidence) is that they're running CSF.
Just throwing it out there because CSF does have an auto update feature.Last edited by bear; 02-21-2013 at 09:14 AM.
Jean-Pierre Abboud / I'm the TekGURU
www.Gotekky.com / Managed hosting solutions / AS63447
Web Hosting, VPS Hosting, Dedicated Servers
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM