Page 40 of 61 FirstFirst ... 303738394041424350 ... LastLast
Results 976 to 1,000 of 1523
  1. #976
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,577
    Quote Originally Posted by Hellsheep View Post
    Do you have any more info on this rootkit keylogger so i can have a look over it?
    PM nenolod or Steven for a copy of it.
    RAM Host -- USA Premium & Budget Linux Hosting
    █ Featuring Powerful cPanel Shared Hosting
    █ & Premium Virtual Dedicated Servers
    Follow us on Twitter

  2. #977
    Quote Originally Posted by ramnet View Post
    I am as well.

    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.

    If you have a server affected by this, your workstation has been compromised.
    What desktop OS's does it infect? Windows only?

  3. #978
    so what's the best way to fix this infected? my server has infected

  4. #979
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,577
    Quote Originally Posted by tecnobrat View Post
    What desktop OS's does it infect? Windows only?
    It infected a Windows 7 workstation system, but other OSes may also be affected.
    RAM Host -- USA Premium & Budget Linux Hosting
    █ Featuring Powerful cPanel Shared Hosting
    █ & Premium Virtual Dedicated Servers
    Follow us on Twitter

  5. #980
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by tarsiran View Post
    so what's the best way to fix this infected? my server has infected
    1. Make sure your local PC is secure + updated since that is the likely point of entry.

    2. Reload your server OS. Once root has been obtained the server integrity will never be 100% trustworthy. You have to reload and start over for true peace of mind.

  6. #981
    Join Date
    Oct 2005
    Posts
    397
    Quote Originally Posted by ramnet View Post
    His script will take down any system that is not a CentOS 6.x or RHEL 6.x system.

    His script as it stands right now is more dangerous to the stability of your server than the exploit he is trying to fix.

    All because he can't be bothered to do a basic one line sanity check.
    It would work on 5.x if
    libkeyutils.so.1.3 is changed to libkeyutils.so.1.2

    Why don't you add a check for the OS version if its so dangerous?

  7. #982
    Quote Originally Posted by Patrick View Post
    1. Make sure your local PC is secure + updated since that is the likely point of entry.

    2. Reload your server OS. Once root has been obtained the server integrity will never be 100% trustworthy. You have to reload and start over for true peace of mind.
    thanks dude but i don't want to OS reload

    i wanna fix issue only

  8. #983
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,577
    Quote Originally Posted by jalapeno55 View Post
    It would work on 5.x if
    libkeyutils.so.1.3 is changed to libkeyutils.so.1.2

    Why don't you add a check for the OS version if its so dangerous?
    I already provided him code to use so his script won't damage systems it wasn't designed for. Since people are linking to his script, and since his script (or any other script for that matter) doesn't actually fix the issue anyway, I won't be writing one myself.

    Quote Originally Posted by tarsiran View Post
    thanks dude but i don't want to OS reload

    i wanna fix issue only
    You have been rooted. An OS Reload is the only fix.
    RAM Host -- USA Premium & Budget Linux Hosting
    █ Featuring Powerful cPanel Shared Hosting
    █ & Premium Virtual Dedicated Servers
    Follow us on Twitter

  9. #984
    Join Date
    Oct 2005
    Posts
    397
    Quote Originally Posted by tarsiran View Post
    thanks dude but i don't want to OS reload

    i wanna fix issue only
    What OS and version do you have?

  10. #985
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    What malware is infesting desktop

    What malware is infesting the desktop I have scanner many times find none. can someone elaborate on what it is how to remove or suggest another tool to look for it?

  11. #986
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by tarsiran View Post
    thanks dude but i don't want to OS reload

    i wanna fix issue only
    Your box has been rooted eric, you don't have any other sensible choice.

  12. #987
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    new os install if rooted

    no choice if you were rooted install only fix

    Quote Originally Posted by tarsiran View Post
    thanks dude but i don't want to OS reload

    i wanna fix issue only

  13. #988
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,446
    Quote Originally Posted by coldbeer View Post
    mod_sec? Can you please write a proper text so we all know what you mean by 'mod_sec setup'.
    Mod Security
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed hosting solutions / AS63447
    Web Hosting, VPS Hosting, Dedicated Servers

  14. #989
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,577
    This is from about 8 hours ago:

    Code:
    <nenolod> interesting
    <nenolod> we found a rootkit on tortoiselabs office equipment
    <nenolod> running windows 7
    <nenolod> and our OVH creds were changed from that machine
    <steven> oh noes the h4x
    <nenolod> i wonder if it is related to SSHD thing
    <steven> good question
    <steven> get to work
    <steven> :P
    <nenolod> i have the binaries, i intend to look at them in a bit with idapro
    <nenolod> btw
    <nenolod> the rootkit
    <nenolod> was sending keystrokes as DNS requests
    <nenolod> to the same russian IP
    <steven> which ip
    <steven> what did you use to pickup the rootkit
    <nenolod> the 78.x nameserver ip
    <steven> gotcha
    <nenolod> i used tcpdump while typing into the keyboard on the errant machine
    <nenolod> i then disconnected it from the network :P
    <nenolod> rabbit:/home/nenolod# apk audit --system
    <nenolod> M  /lib/libkeyutils.so.1 -> /lib/libkeyutils.so.1.9
    <nenolod> ?  /lib/libkeyutils.so.1.9            
    <nenolod> well, that's concerning
    <nenolod> and, /tmp contains a copy of openssh source
    <steven> even the great neno has been h4x
    <nenolod> this is new
    <nenolod> and it is a honeypot
    <nenolod> it's supposed to be h4x
    <nenolod> the concerning part is that they seem to build the rootkit on the machine
    <nenolod> observation: why would sshd link against libkeyutils.so?
    <nenolod> ran apk fix
    <steven> kernel key management
    <ramnet> nenolod, did you access your honeypot from the workstation that had the keylogger on it?
    <nenolod> as a matter of fact, yes!
    <ramnet> so, you've pretty much confirmed that's what the cause of the hack is then
    <steven> nenolod would you be willing to pass me the windows rootkit?
    <nenolod> steven, yeah as soon as i have a chance to get the machine network-accessible again
    RAM Host -- USA Premium & Budget Linux Hosting
    █ Featuring Powerful cPanel Shared Hosting
    █ & Premium Virtual Dedicated Servers
    Follow us on Twitter

  15. #990
    Quote Originally Posted by ramnet View Post
    I am as well.

    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.

    If you have a server affected by this, your workstation has been compromised.
    That is what my gut told me and I hope this is indeed the case...

    The only thing that doesn't make sense to me is I have a client with 3 CentOS/RHEL 5 cPanel servers, one of them is infected with this, the others are not.

    They all have the same configuration, the client logs into all three servers pretty consistently from the same workstation I would expect all three of them to be compromised.

    Of course there are other variables at play here...

    Just trying to wrap my head around if this is indeed 100% a local workstation issue.

    Thanks all for the work you guys have done on this.

    Hopefully some sort of AV signature will be made to detect this shortly.

  16. #991
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Quote Originally Posted by ThreadHo View Post
    What malware is infesting the desktop I have scanner many times find none. can someone elaborate on what it is how to remove or suggest another tool to look for it?
    What scanner are you using?

    First if it is something like Norton or God forbid Mcafee then forget it. First thing a good java infection does is plant itself in and hides from what ever virus scanner you have installed on the system so it becomes useless at finding it. Download a new scanner I like Avast myself since it was the only one to reliable detect the Gumbler virus when it was first out. Disable your current scanner and let the new one scan the system. Don't trust what you already have installed.

  17. #992
    Join Date
    Feb 2013
    Posts
    97

    Smile

    Quote Originally Posted by ramnet View Post
    This is from about 8 hours ago:

    Code:
    <nenolod> interesting
    <nenolod> we found a rootkit on tortoiselabs office equipment
    <nenolod> running windows 7
    <nenolod> and our OVH creds were changed from that machine
    <steven> oh noes the h4x
    <nenolod> i wonder if it is related to SSHD thing
    <steven> good question
    <steven> get to work
    <steven> :P
    <nenolod> i have the binaries, i intend to look at them in a bit with idapro
    <nenolod> btw
    <nenolod> the rootkit
    <nenolod> was sending keystrokes as DNS requests
    <nenolod> to the same russian IP
    <steven> which ip
    <steven> what did you use to pickup the rootkit
    <nenolod> the 78.x nameserver ip
    <steven> gotcha
    <nenolod> i used tcpdump while typing into the keyboard on the errant machine
    <nenolod> i then disconnected it from the network :P
    <nenolod> rabbit:/home/nenolod# apk audit --system
    <nenolod> M  /lib/libkeyutils.so.1 -> /lib/libkeyutils.so.1.9
    <nenolod> ?  /lib/libkeyutils.so.1.9            
    <nenolod> well, that's concerning
    <nenolod> and, /tmp contains a copy of openssh source
    <steven> even the great neno has been h4x
    <nenolod> this is new
    <nenolod> and it is a honeypot
    <nenolod> it's supposed to be h4x
    <nenolod> the concerning part is that they seem to build the rootkit on the machine
    <nenolod> observation: why would sshd link against libkeyutils.so?
    <nenolod> ran apk fix
    <steven> kernel key management
    <ramnet> nenolod, did you access your honeypot from the workstation that had the keylogger on it?
    <nenolod> as a matter of fact, yes!
    <ramnet> so, you've pretty much confirmed that's what the cause of the hack is then
    <steven> nenolod would you be willing to pass me the windows rootkit?
    <nenolod> steven, yeah as soon as i have a chance to get the machine network-accessible again
    May we ask, how or with what software was the root-kit discovered? Time for everyone to scan for it perhaps?
    Last edited by matbz; 02-20-2013 at 07:28 PM. Reason: typo

  18. #993
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    thanks

    will try your suggestion
    i suspect it maybe a login from home


    Quote Originally Posted by Techark View Post
    What scanner are you using?

    First if it is something like Norton or God forbid Mcafee then forget it. First thing a good java infection does is plant itself in and hides from what ever virus scanner you have installed on the system so it becomes useless at finding it. Download a new scanner I like Avast myself since it was the only one to reliable detect the Gumbler virus when it was first out. Disable your current scanner and let the new one scan the system. Don't trust what you already have installed.

  19. #994
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,577
    Quote Originally Posted by matbz View Post
    May we ask, how or with what software was the root-kit discovered? Time for everyone to scan for it perhaps?
    <ramnet> nenolod, how did you find that windows rootkit earlier? where was it's payload located?
    <nenolod> ramnet, i just ran malware bytes anti malware, and it was a file in C:\Windows\System32 running as LOCAL_SERVICE permissions
    RAM Host -- USA Premium & Budget Linux Hosting
    █ Featuring Powerful cPanel Shared Hosting
    █ & Premium Virtual Dedicated Servers
    Follow us on Twitter

  20. #995
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ramnet View Post
    <ramnet> nenolod, how did you find that windows rootkit earlier? where was it's payload located?
    <nenolod> ramnet, i just ran malware bytes anti malware, and it was a file in C:\Windows\System32 running as LOCAL_SERVICE permissions
    Thanks very much ramnet!! Potentially the most useful post in this entire thread

    Anyone affected by this should do the same asap, and please post back to the community with their results.

  21. #996
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,446
    Can anyone confirm if servers without CSF have been infected ?
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed hosting solutions / AS63447
    Web Hosting, VPS Hosting, Dedicated Servers

  22. #997
    Join Date
    Nov 2012
    Posts
    79
    It doesn't have to be a local computer that could be infected. Somebody earlier mentioned that it was possible that techs at cPanel (for example) could be compromised:

    I say these because a previous post ringed a bell for me: there is a guy here that sent his root password to CPanel support, and a few days later his server was compromised. Maybe CPanel had some kind of data leak ?
    The ONLY server that got hit on my network was the one server that I gave cPanel my root password to investigate an issue I was having. All my other servers have been fine and my computer at my office is the only computer I use to access them. So as I said, it is very possible that computers at places like cPanel can also be compromised.

  23. #998
    Join Date
    Sep 2012
    Posts
    52
    Quote Originally Posted by brianemwd View Post
    It doesn't have to be a local computer that could be infected. Somebody earlier mentioned that it was possible that techs at cPanel (for example) could be compromised:



    The ONLY server that got hit on my network was the one server that I gave cPanel my root password to investigate an issue I was having. All my other servers have been fine and my computer at my office is the only computer I use to access them. So as I said, it is very possible that computers at places like cPanel can also be compromised.
    DirectAdmin servers are also infected.

  24. #999
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,577
    Quote Originally Posted by brianemwd View Post
    It doesn't have to be a local computer that could be infected. Somebody earlier mentioned that it was possible that techs at cPanel (for example) could be compromised:
    That's correct.

    Any workstation used to login to any given server is an attack vector.

    That includes people with multiple computers at their home or office, people you hire for server management duties, datacenter techs logging in, and anyone else that had your server's login info on their computer and used it.
    Last edited by ramnet; 02-20-2013 at 08:11 PM.
    RAM Host -- USA Premium & Budget Linux Hosting
    █ Featuring Powerful cPanel Shared Hosting
    █ & Premium Virtual Dedicated Servers
    Follow us on Twitter

  25. #1000
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,446
    <<snipped>>

    So far we have had a few infections the only constant(most likely a coincidence) is that they're running CSF.

    Just throwing it out there because CSF does have an auto update feature.
    Last edited by bear; 02-21-2013 at 09:14 AM.
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed hosting solutions / AS63447
    Web Hosting, VPS Hosting, Dedicated Servers

Page 40 of 61 FirstFirst ... 303738394041424350 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •