Page 47 of 61 FirstFirst ... 374445464748495057 ... LastLast
Results 1,151 to 1,175 of 1523
  1. #1151
    Join Date
    Feb 2013
    Location
    /dev/null aka Ohio
    Posts
    61
    @Cloudlinux - Thank you for the quick script to check our systems with.

    I have found quite a few that are infected - and many that are not.

    Just wanted to clarify - this has hit other Distro's not just RH/Cent ? correct ?

    thusfar have not found it on debian or ubuntu but figured I would ask

  2. #1152
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Quote Originally Posted by cloudhopping View Post
    @Cloudlinux - Thank you for the quick script to check our systems with.

    I have found quite a few that are infected - and many that are not.

    Just wanted to clarify - this has hit other Distro's not just RH/Cent ? correct ?

    thusfar have not found it on debian or ubuntu but figured I would ask
    Yes, there have been reports here by Debian and Ubuntu users who had their servers infected.

    Maybe the reports for Debian/Ubuntu infections are not so many here, because most WHT members use Centos/Redhad/Fedora for web hosting, but Debian and Ubuntu are affected as well.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  3. #1153
    Join Date
    Sep 2011
    Posts
    40
    based on some of the threads, it appears that the attacker didn't change the sshd and ssh binaries, so I am wondering how it is possible to steal the newly created username/password, which were sent via a dns query? can anyone shed some light on this?

  4. #1154
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by tonytz View Post
    based on some of the threads, it appears that the attacker didn't change the sshd and ssh binaries, so I am wondering how it is possible to steal the newly created username/password, which were sent via a dns query? can anyone shed some light on this?
    There is a library libkeyutils.so.1.* that is placed on the server and sshd is linked to.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #1155
    Join Date
    Sep 2011
    Posts
    40
    Quote Originally Posted by Steven View Post
    There is a library libkeyutils.so.1.* that is placed on the server and sshd is linked to.
    interesting, I see how it works now, good to know

  6. #1156
    Hey all,

    I see some different entries that are quite similar but I'm not sure if this is another variant or legit:

    lib/libkeyutils-1.2.so
    lib64/libkeyutils-1.2.so
    lib/libkeyutils.so.1
    lib64/libkeyutils.so.1

    Happy to post any other logs as necessary - just might need some locations/direction as to where they are located.

  7. #1157
    Quote Originally Posted by NetworkPanda View Post
    I have some good news, AVG for Linux has been updated and detects the infected libkeyutils* files, no matter what their file name is. Although we had not been infected, I downloaded the infected files (posted here, some pages before) to a test Linux server just to perform various tests.

    So, till yesterday morning none of the Linux antivirus tools was detecting it. Today while performing a scan with AVG for Linux (with updated virus definitions) I got this:

    The infection is detected no matter of its file name. I tried with libtest.so libkeyutils.so.1.2.so.2 etc and it was always detected as infected.

    So, it is a good idea installing AVG For Linux (no need to get the paid version for just performing scans and detecting infections) and scan in /lib /lib64 and then on your entire system.

    Code:
    avgscan /lib
    avgscan /lib64
    avgscan /
    It will not break things, as it does not heal or quarantine files unless you tell it to do so. It is good just for finding the infection even if the infected files have new file names.
    Can you list how to install the AVG package? Sorry, help for the newbs like me.

  8. #1158
    Join Date
    Nov 2001
    Location
    Ashburn, VA
    Posts
    1,207
    Quote Originally Posted by shackrock View Post
    Hey all,

    I see some different entries that are quite similar but I'm not sure if this is another variant or legit:

    lib/libkeyutils-1.2.so
    lib64/libkeyutils-1.2.so
    lib/libkeyutils.so.1
    lib64/libkeyutils.so.1

    Happy to post any other logs as necessary - just might need some locations/direction as to where they are located.
    Those should be the legit libs. Just run 'rpm -qf /path/to/file' and it will show that they are part of the keyutils-libs package.
    Affordable web hosting, design, & domain registration services since 2001
    www.serve-you.net

  9. #1159
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    scanners

    Last night I scanned the workstations with every thing I could find
    and was suggested here. I finally found a Java Trojans with Avast not found by any thing else. I sent Steven the logs of what was found and have the file quarantined. I haven't heard back form Steven yet if this is the file in question or not but fact 4 different scanners never found it I am curious.
    Last edited by weredigital; 02-21-2013 at 04:00 PM.

  10. #1160
    Quote Originally Posted by serve-you View Post
    Those should be the legit libs. Just run 'rpm -qf /path/to/file' and it will show that they are part of the keyutils-libs package.
    Great while looking in the folder I just did this:
    http://superuser.com/questions/55545...at-it-was-call

    Kill me now, any help is appreciated. Sorry if offtopic, please PM me.


    The good news is that those are legit files for me =)
    [root@server /]# rpm -qf lib/libkeyutils-1.2.so
    keyutils-libs-1.2-1.el5
    [root@server /]# rpm -qf lib64/libkeyutils-1.2.so
    keyutils-libs-1.2-1.el5
    [root@server /]# rpm -qf lib64/libkeyutils.so.1
    keyutils-libs-1.2-1.el5
    [root@server /]# rpm -qf lib/libkeyutils.so.1
    keyutils-libs-1.2-1.el5

  11. #1161
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    New file name: /lib64/libkeyutils.so.1.3.2
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  12. #1162
    Join Date
    May 2003
    Location
    Texas
    Posts
    154
    /lib64/libkeyutils-1.2.so.2

    as well.

  13. #1163
    Join Date
    Sep 2012
    Posts
    52
    Steven can you make a list of all infected filenames?

  14. #1164
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    Facebook hacked Java exploit

    Just announced on CNN Facebook hacked via Java Exploit. wonder if related to our issues

    http://www.cnn.com/2013/02/15/tech/s...iref=allsearch

    apparently old news just came in on my feeds need new feed i guess
    Last edited by weredigital; 02-21-2013 at 04:29 PM.

  15. #1165
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Also (now that the infected files are circulating with various random new file names) if you are concerned if a libkeyutils* file is legitimate or if it is an infection, just install AVG for Linux and scan your entire /lib or /lib64 folder.

    AVG works fine on Centos/RHEL with or without cPanel. It is safe to have it installed along with ClamAV or other antivirus software, as AVG free for Linux does not run in real-time mode, it performs only scans on demand to find infections. So, no conflicts with the other antivirus tools you may have.

    Visit http://free.avg.com/us-en/download.prd-alf

    wget the rpm file to your server

    then run

    Code:
    rpm -Uvh avg-xxxxx.rpm
    avg-xxxxxx.rpm = the downloaded file (its name changes with each new version released by AVG)

    Then run:
    Code:
    avgupdate
    avgscan /lib
    avgscan /lib64
    (the first command avgupdate needs to be ran only once per day, to download the new virus definitions)

    No matter what is the name of the malicious file, it will be detected, so you will now which files are clean or not.
    Last edited by NetworkPanda; 02-21-2013 at 04:39 PM.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  16. #1166
    Join Date
    Oct 2005
    Posts
    397
    Quote Originally Posted by NetworkPanda View Post
    Also (now that the infected files are circulating with various random new file names) if you are concerned if a libkeyutils* file is legitimate or if it is an infection, just install AVG for Linux and scan your entire /lib or /lib64 folder.

    AVG works fine on Centos/RHEL with or without cPanel.

    Visit http://free.avg.com/us-en/download.prd-alf

    wget the rpm file to your server

    then run

    Code:
    rpm -Uvh avg-xxxxx.rpm
    avg-xxxxxx.rpm = the downloaded file (its name changes with each new version released by AVG)

    Then run:
    Code:
    avgupdate
    avgscan /lib
    avgscan /lib64
    (the first command avgupdate needs to be ran only once per day, to download the new virus definitions)

    No matter what is the name of the malicious file, it will be detected, so you will now which files are clean or not.
    Which is better AVG or ClamAV?

  17. #1167
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Quote Originally Posted by jalapeno55 View Post
    Which is better AVG or ClamAV?
    According to my experience, AVG is far better and detects new infections faster than Clam. For example, this new infection is not yet detected by ClamAV and the same has also happened with several other malware in the past.

    But it is safe to have AVG installed along with ClamAV or other antivirus software, as AVG free for Linux does not run in real-time mode, it performs only scans on demand to find infections. So, no conflicts with the other antivirus tools you may have.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  18. #1168
    Quote Originally Posted by tecnobrat View Post
    I would put money on the fact that the java exploit (current theory) was actually placed inside a malicious ad that was displayed on a hosting forum or website that hosting admins frequent. Maybe even this site itself.

    The fact that it affects CentOS/Cpanel/etc machines more than others would also lead me to believe it may be a forum / site directly related to that.

    I have no proof of this, but ... logic would dictate?

    It think you may have right

    Last Saturday, (Feb 16) i used my liitle doghters old laptop at home to google for mod rewrite.
    This laptop is used by my daughter to play flash games, so flash ang java is allowed,
    and NOScript missing (and off course no root passwords:-)

    I followed a link to a site with the word htaccess in the domain

    I am 99% sure i can recall the domain, but since i am not 100% i wont post the domain name,
    and i don't want to visit this site again to confirm..

    When the site loaded, the screen has frozen and the disk has started to spin very very fast

    I am 100% it was an infection

    I have scanned the laptop with compofix avira and malware bytes, but found nothing

    I reloaded the OS to be sure.

    Sounds familiar to anyone?

  19. #1169
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by nicknn View Post
    It think you may have right

    Last Saturday, (Feb 16) i used my liitle doghters old laptop at home to google for mod rewrite.
    This laptop is used by my daughter to play flash games, so flash ang java is allowed,
    and NOScript missing (and off course no root passwords:-)

    I followed a link to a site with the word htaccess in the domain

    I am 99% sure i can recall the domain, but since i am not 100% i wont post the domain name,
    and i don't want to visit this site again to confirm..

    When the site loaded, the screen has frozen and the disk has started to spin very very fast

    I am 100% it was an infection

    I have scanned the laptop with compofix avira and malware bytes, but found nothing

    I reloaded the OS to be sure.

    Sounds familiar to anyone?

    Dr.Web live cd, but i guess you reloaded so it wont matter.

    That is kind of common behavior for a flash malware.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #1170
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    redhat update to ssh

    Possible related ? just released
    Moderate: openssh security, bug fix and enhancement update

    https://rhn.redhat.com/errata/RHSA-2013-0519.html

  21. #1171
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by ThreadHo View Post
    Possible related ? just released
    Moderate: openssh security, bug fix and enhancement update

    https://rhn.redhat.com/errata/RHSA-2013-0519.html
    Centos 6 only.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  22. #1172
    Join Date
    Feb 2013
    Location
    /dev/null aka Ohio
    Posts
    61
    Thanks for the clarification on the Cent6 only ...
    Also - for the DR Web.

    Dr Web found a few things that the other scans did not...
    nothing big I hope...
    but those are offline @ least now.

  23. #1173
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    What did it find? Please send me what you find.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  24. #1174
    Join Date
    Aug 2004
    Posts
    142

  25. #1175
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,954
    Finally some big guys are noticing this.

Page 47 of 61 FirstFirst ... 374445464748495057 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •