Results 1,151 to 1,175 of 1523
Thread: SSHD Rootkit Rolling around
-
02-21-2013, 03:28 PM #1151Junior Guru Wannabe
- Join Date
- Feb 2013
- Location
- /dev/null aka Ohio
- Posts
- 61
@Cloudlinux - Thank you for the quick script to check our systems with.
I have found quite a few that are infected - and many that are not.
Just wanted to clarify - this has hit other Distro's not just RH/Cent ? correct ?
thusfar have not found it on debian or ubuntu but figured I would ask
-
02-21-2013, 03:34 PM #1152Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Yes, there have been reports here by Debian and Ubuntu users who had their servers infected.
Maybe the reports for Debian/Ubuntu infections are not so many here, because most WHT members use Centos/Redhad/Fedora for web hosting, but Debian and Ubuntu are affected as well.★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
02-21-2013, 03:38 PM #1153Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
based on some of the threads, it appears that the attacker didn't change the sshd and ssh binaries, so I am wondering how it is possible to steal the newly created username/password, which were sent via a dns query? can anyone shed some light on this?
-
02-21-2013, 03:41 PM #1154Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-21-2013, 03:46 PM #1155Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 40
-
02-21-2013, 03:48 PM #1156Newbie
- Join Date
- Feb 2011
- Posts
- 14
Hey all,
I see some different entries that are quite similar but I'm not sure if this is another variant or legit:
lib/libkeyutils-1.2.so
lib64/libkeyutils-1.2.so
lib/libkeyutils.so.1
lib64/libkeyutils.so.1
Happy to post any other logs as necessary - just might need some locations/direction as to where they are located.
-
02-21-2013, 03:52 PM #1157Newbie
- Join Date
- Feb 2011
- Posts
- 14
-
02-21-2013, 03:56 PM #1158Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ashburn, VA
- Posts
- 1,207
Affordable web hosting, design, & domain registration services since 2001
www.serve-you.net
-
02-21-2013, 03:57 PM #1159Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
scanners
Last night I scanned the workstations with every thing I could find
and was suggested here. I finally found a Java Trojans with Avast not found by any thing else. I sent Steven the logs of what was found and have the file quarantined. I haven't heard back form Steven yet if this is the file in question or not but fact 4 different scanners never found it I am curious.Last edited by weredigital; 02-21-2013 at 04:00 PM.
-
02-21-2013, 04:03 PM #1160Newbie
- Join Date
- Feb 2011
- Posts
- 14
Great while looking in the folder I just did this:
http://superuser.com/questions/55545...at-it-was-call
Kill me now, any help is appreciated. Sorry if offtopic, please PM me.
The good news is that those are legit files for me =)
[root@server /]# rpm -qf lib/libkeyutils-1.2.so
keyutils-libs-1.2-1.el5
[root@server /]# rpm -qf lib64/libkeyutils-1.2.so
keyutils-libs-1.2-1.el5
[root@server /]# rpm -qf lib64/libkeyutils.so.1
keyutils-libs-1.2-1.el5
[root@server /]# rpm -qf lib/libkeyutils.so.1
keyutils-libs-1.2-1.el5
-
02-21-2013, 04:12 PM #1161Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
New file name: /lib64/libkeyutils.so.1.3.2
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-21-2013, 04:16 PM #1162WHT Addict
- Join Date
- May 2003
- Location
- Texas
- Posts
- 154
/lib64/libkeyutils-1.2.so.2
as well.
-
02-21-2013, 04:18 PM #1163Junior Guru Wannabe
- Join Date
- Sep 2012
- Posts
- 52
Steven can you make a list of all infected filenames?
-
02-21-2013, 04:22 PM #1164Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
Facebook hacked Java exploit
Just announced on CNN Facebook hacked via Java Exploit. wonder if related to our issues
http://www.cnn.com/2013/02/15/tech/s...iref=allsearch
apparently old news just came in on my feeds need new feed i guessLast edited by weredigital; 02-21-2013 at 04:29 PM.
-
02-21-2013, 04:34 PM #1165Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Also (now that the infected files are circulating with various random new file names) if you are concerned if a libkeyutils* file is legitimate or if it is an infection, just install AVG for Linux and scan your entire /lib or /lib64 folder.
AVG works fine on Centos/RHEL with or without cPanel. It is safe to have it installed along with ClamAV or other antivirus software, as AVG free for Linux does not run in real-time mode, it performs only scans on demand to find infections. So, no conflicts with the other antivirus tools you may have.
Visit http://free.avg.com/us-en/download.prd-alf
wget the rpm file to your server
then run
Code:rpm -Uvh avg-xxxxx.rpm
Then run:
Code:avgupdate avgscan /lib avgscan /lib64
No matter what is the name of the malicious file, it will be detected, so you will now which files are clean or not.Last edited by NetworkPanda; 02-21-2013 at 04:39 PM.
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
02-21-2013, 04:38 PM #1166Aspiring Evangelist
- Join Date
- Oct 2005
- Posts
- 397
-
02-21-2013, 04:40 PM #1167Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
According to my experience, AVG is far better and detects new infections faster than Clam. For example, this new infection is not yet detected by ClamAV and the same has also happened with several other malware in the past.
But it is safe to have AVG installed along with ClamAV or other antivirus software, as AVG free for Linux does not run in real-time mode, it performs only scans on demand to find infections. So, no conflicts with the other antivirus tools you may have.★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
02-21-2013, 04:41 PM #1168Newbie
- Join Date
- Jul 2006
- Posts
- 5
It think you may have right
Last Saturday, (Feb 16) i used my liitle doghters old laptop at home to google for mod rewrite.
This laptop is used by my daughter to play flash games, so flash ang java is allowed,
and NOScript missing (and off course no root passwords:-)
I followed a link to a site with the word htaccess in the domain
I am 99% sure i can recall the domain, but since i am not 100% i wont post the domain name,
and i don't want to visit this site again to confirm..
When the site loaded, the screen has frozen and the disk has started to spin very very fast
I am 100% it was an infection
I have scanned the laptop with compofix avira and malware bytes, but found nothing
I reloaded the OS to be sure.
Sounds familiar to anyone?
-
02-21-2013, 04:53 PM #1169Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-21-2013, 04:57 PM #1170Junior Guru Wannabe
- Join Date
- Nov 2010
- Location
- Saskatchewan yep Canada
- Posts
- 36
redhat update to ssh
Possible related ? just released
Moderate: openssh security, bug fix and enhancement update
https://rhn.redhat.com/errata/RHSA-2013-0519.html
-
02-21-2013, 04:59 PM #1171Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-21-2013, 07:43 PM #1172Junior Guru Wannabe
- Join Date
- Feb 2013
- Location
- /dev/null aka Ohio
- Posts
- 61
Thanks for the clarification on the Cent6 only ...
Also - for the DR Web.
Dr Web found a few things that the other scans did not...
nothing big I hope...
but those are offline @ least now.
-
02-21-2013, 07:49 PM #1173Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
What did it find? Please send me what you find.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
02-21-2013, 08:02 PM #1174WHT Addict
- Join Date
- Aug 2004
- Posts
- 142
-
02-21-2013, 08:09 PM #1175Temporarily Suspended
- Join Date
- Mar 2012
- Location
- Tampa, FL =)
- Posts
- 1,954
Similar Threads
-
****`it Rootkit, Tuxtendo Rootkit
By ISpy in forum Hosting Security and TechnologyReplies: 4Last Post: 06-22-2010, 11:27 AM -
Which server builds are you rolling out?
By GeekMe in forum Dedicated ServerReplies: 11Last Post: 04-18-2010, 08:03 AM -
Getting the ball rolling ...
By policefreq in forum New MembersReplies: 1Last Post: 08-19-2006, 11:16 PM -
Getting company to get rolling
By Overclocked in forum Running a Web Hosting BusinessReplies: 19Last Post: 08-03-2004, 04:02 PM