Page 26 of 39 FirstFirst ... 1623242526272829 36 ... LastLast
Results 1,001 to 1,040 of 1523
  1. #1001
    Join Date
    Nov 2012
    Posts
    77
    Quote Originally Posted by coldbeer View Post
    DirectAdmin servers are also infected.
    Yep and my post said "for example" to reflect that. No where did in my post did I imply that ONLY cpanel servers were being infected. All I am saying is it is very possible that if a work station exploit is behind these attacks then it would be possible that companies such as cPanel (and there would be others) could have some of their techs compromised.

  2. #1002
    Join Date
    Feb 2013
    Posts
    32
    Quote Originally Posted by ramnet View Post
    That's correct.

    Any workstation used to login to any given server is an attack vector.

    That includes people with multiple computers at their home or office, people you hire for server management duties, and anyone else that had your login info on their computer and used it.
    ramnet, your posts have been most useful. Has there been any indication that the malware on windows machines has the ability to spread over local networks, infecting other vulnerable machines on your network. Has there also been any indication that there may be some sort of packet sniffing occurring? I am wondering if there are other methods than just keylogging the machine it's on. If this is the case then may need to check all machines in your local network or networks that have been used to access your linux servers.

  3. #1003
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by Hellsheep View Post
    ramnet, your posts have been most useful. Has there been any indication that the malware on windows machines has the ability to spread over local networks, infecting other vulnerable machines on your network. Has there also been any indication that there may be some sort of packet sniffing occurring? I am wondering if there are other methods than just keylogging the machine it's on. If this is the case then may need to check all machines in your local network or networks that have been used to access your linux servers.
    Based on what I've heard I don't believe the malware propagates over a local area network, as a single workstation in an office environment was compromised while other similar systems on the LAN weren't.

    That doesn't mean it isn't possible though. nenolod and Steven are still busy analyzing it.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  4. #1004
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,409
    Quote Originally Posted by serve-you View Post
    This was my point. Of course we know Steven, huck, and a few others here run server management companies and are very well known. Random people who just appear in this thread out of nowhere should not be trusted.
    I would hope that goes without saying

    I have noticed a bunch of "noobs" though suddenly asking people.... Can't imagine anyone stupid enough to go along with though.....

    ▲ ▲

    WoltLab Dev

  5. #1005
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,439
    Ok nevermind, we have servers with CSF that haven't been infected.
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed and Self-Managed hosting solutions
    Toll free: 1.888.915.4400 / Local: 1.514.316.1885 / Live chat
    Cloud VPS Hosting

  6. #1006
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    anyone else had enough of csf warning coming up already LOL

    i appreciated csf software very much but when this is fixed i will be so glad to get rid of the warning every few minutes. i know i can turn them off leave them there to annoy me and be more careful in future.

  7. #1007
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ThreadHo View Post
    i appreciated csf software very much but when this is fixed i will be so glad to get rid of the warning every few minutes. i know i can turn them off leave them there to annoy me and be more careful in future.
    Does putting the file in csf.ignore make the warnings go away? If you personally already know it is there, and you don't want reminding...

  8. #1008
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    /lib64/libkeyutils-1.2.so.2 is popping up on centos 5 machines.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.

  9. #1009
    I'm running a VPS hosting Minecraft and OpenVPN managed through SSH on Ubuntu Server 12.04.2 LTS. I configured 2 factor authentication for login and use a password for access. No public/private keys or anything. I haven't been hit yet. Just reporting in.

  10. #1010
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    * im letting it come

    I'm leaving it as punishment and reminder to be more vigilant. It will make me a better admin...
    Quote Originally Posted by matbz View Post
    Does putting the file in csf.ignore make the warnings go away? If you personally already know it is there, and you don't want reminding...

  11. #1011
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by Steven View Post
    /lib64/libkeyutils-1.2.so.2 is popping up on centos 5 machines.
    It's the right file version for Centos 5, that's why that 'script' was screwing up some boxes, but you quote the filename with '.2' on the end?
    Last edited by matbz; 02-20-2013 at 08:44 PM.

  12. #1012
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,776
    Quote Originally Posted by Steven View Post
    /lib64/libkeyutils-1.2.so.2 is popping up on centos 5 machines.
    Have you looked at what is inside it? Same as the other or has the code changed?

  13. #1013
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ThreadHo View Post
    I'm leaving it as punishment and reminder to be more vigilant. It will make me a better admin...
    lol, don't be so hard on yourself.

    Maybe just create a filter in your mail program to put the lovely emails in a 'special' place?

  14. #1014
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Quote Originally Posted by Techark View Post
    Have you looked at what is inside it? Same as the other or has the code changed?
    Code:
    Version 1.1.0
    78.47.139.110
    XXXYwZfC62L
    Xver
    Xcat
    Xbnd
    sshd:1  %s      %s      %s
    g:sshd:1        %s      %s      %s
    ssh:1   %s      %s      %s      %d
    key:1   %d      %s      %s      %s      %d      %s
    %s      %s
    g:%s    %s
    u:%s    %s
    ssh:1   %s      %s      %d
    LOGNAME
    PEM_write_RSAPrivateKey
    PEM_write_DSAPrivateKey
    MD5_Init
    MD5_Update
    MD5_Final
    options
    hostaddr
    idtable
    audit_log_user_message
    audit_log_acct_message
    hosts_access
    pam_authenticate
    pam_start
    __strdup
    root
    crypt
    abcdefghijklmnopqrstuvwxyz
    biz.
    info.
    net.
    %u.%s.%s
    %u.%u.%u.%u
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.

  15. #1015
    Join Date
    Nov 2001
    Location
    Ashburn, VA
    Posts
    1,206
    Quote Originally Posted by TheVisitors View Post
    I would hope that goes without saying

    I have noticed a bunch of "noobs" though suddenly asking people.... Can't imagine anyone stupid enough to go along with though.....
    You'd be surprised. Some people are just so frazzled by being hacked that they'll do just about anything without thinking about the ramifications. People will execute random code, and follow advise of random strangers in effort to resolve whatever issues they may have. Obviously some people have only the best intentions, but there are plenty of "bad guys" (or people with good intentions, but lacking knowledge) out there as well.

    With all the people coming into this thread out of nowhere crying for help, I think it sadly needs to be said that not everyone here can be trusted.
    Affordable web hosting, design, & domain registration services since 2001
    www.serve-you.net

  16. #1016
    Join Date
    Feb 2013
    Posts
    97
    Did someone here get really mad and cut OVH's fibre? http://status.ovh.co.uk/?do=details&id=4165

  17. #1017
    Join Date
    Feb 2013
    Posts
    32
    Quote Originally Posted by Steven View Post
    Code:
    78.47.139.110
    Funny,

    That host is listening on port 25 and 22, 22 is open to the world and you can ssh to it as root. Out of interest I tried what we believe to be the hard coded password but it didn't work.

  18. #1018
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by serve-you View Post
    You'd be surprised. Some people are just so frazzled by being hacked that they'll do just about anything without thinking about the ramifications. People will execute random code, and follow advise of random strangers in effort to resolve whatever issues they may have. Obviously some people have only the best intentions, but there are plenty of "bad guys" (or people with good intentions, but lacking knowledge) out there as well.

    With all the people coming into this thread out of nowhere crying for help, I think it sadly needs to be said that not everyone here can be trusted.
    +1

    Good common sense should prevail at all times.

    Some of us are not new here but have not been in for so long that we forgot our WHT login, linked email and pass so created new accounts.

  19. #1019
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,409
    So can anyone confirm that this is also happening to people using Debian or Ubuntu?

    We normally use Debian, but decided against our better judgement to give CentOS 6.3 a try so we could load up cPanel. Mostly because we've been short on time and simply wanted a more "point and click" setup.

    So has this indeed been hurting people on Debian .... Can this be confirmed?

    ▲ ▲

    WoltLab Dev

  20. #1020
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Quote Originally Posted by TheVisitors View Post
    So can anyone confirm that this is also happening to people using Debian or Ubuntu?

    We normally use Debian, but decided against our better judgement to give CentOS 6.3 a try so we could load up cPanel. Mostly because we've been short on time and simply wanted a more "point and click" setup.

    So has this indeed been hurting people on Debian .... Can this be confirmed?
    There was someone who mentioned it.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.

  21. #1021
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,409
    Quote Originally Posted by Steven View Post
    There was someone who mentioned it.
    I noticed it by a few 1 post wonders....

    .... Was wondering if anyone else could confirm it though.

    I setup Debian VPS yesterday with no security (none) and its still ticking away.

    I would not be all to surprised if Debian was in fact not compromised... And maybe someone wants people to think no place is safe.

    ▲ ▲

    WoltLab Dev

  22. #1022
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Quote Originally Posted by TheVisitors View Post
    I noticed it by a few 1 post wonders....

    .... Was wondering if anyone else could confirm it though.

    I setup Debian VPS yesterday with no security (none) and its still ticking away.

    I would not be all to surprised if Debian was in fact not compromised... And maybe someone wants people to think no place is safe.
    The same could be said for many centos servers, there are lots of people with zero infections.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.

  23. #1023
    Join Date
    Jul 2004
    Location
    London, UK
    Posts
    171
    Quote Originally Posted by egillette View Post
    Ironically, I've received multiple messages from various users who have thanked me for creating the script, incorporating some of the suggestions of others, and for maintaining the script up to this point, despite the negativity and unhelpful attitudes of some.
    Yeah because these people don't know that their boxes are still rooted.

    Quote Originally Posted by egillette View Post
    it's probably better to just keep them to yourself, rather than cluttering the thread with more of your opinions.
    Yup, much better. Well, more hilarious to have people running around wonder why they keep getting rooted when they're running a sooper-dooper cleanup script anyways.

  24. #1024
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,409
    Quote Originally Posted by Steven View Post
    The same could be said for many centos servers, there are lots of people with zero infections.
    True, but people who were infected got re-infected. I installed Debian on the same VPS, on the same IP address, port 22, with no security, and the password for root was password.

    I made it so easy that I'm surprised some random bot had not just taken hold... And yet no re-infection so far 24 hours later.

    So can anyone with maybe a little more credibility (not just 1 post wonders), come forward and tell us if Debian is also a problem or not?

    ▲ ▲

    WoltLab Dev

  25. #1025
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,565
    Based on the recent findings as well as evidence in this thread...

    If it's a linux server and connected to the internet, it's vulnerable.


    Stop asking if such and such distro is safe or not. Scan your PCs and monitor your network for malicious UDP payload, or hire someone qualified to do it for you.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  26. #1026
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,409
    Quote Originally Posted by FastServ View Post
    Based on the recent findings as well as evidence in this thread:

    If it's a linux server and connected to the internet, it's vulnerable.


    Stop asking if such and such distro is safe or not.
    ^ That argument can be applied to anything connect to the Internet. Because nothing is 100% guaranteed hack / crack proof. If there is a will there is always away.

    My question is not toward "can" something be hacked / cracked.... That would an illogical argument because the answer is yes. Everything can be.

    My question was at this time does this single issue currently affect Debian? My findings so far would suggest at least for the moment, no. But I would like to know if anyone else (one of WHT more experienced and well know users) could confirm or deny if this single issue at this moment affect Debian.

    I believe it is a valid (even if you do not).

    ▲ ▲

    WoltLab Dev

  27. #1027
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by FastServ View Post
    ...

    If it's a linux server and connected to the internet, it's vulnerable.


    ...
    If I may... I don't IMHO think that's entirely true, you are drawing a distinction that is not yet qualified. There is evidence within this thread that a root-kit on an office PC is the root of the issue (a key-logger). The targeting of Linux boxes with the data captured from such a key-logger is not proof that Linux is vulnerable, but a choice of the hacker, surely?

  28. #1028
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,565
    Quote Originally Posted by matbz View Post
    If I may... I don't IMHO think that's entirely true, you are drawing a distinction that is not yet qualified. There is evidence within this thread that a root-kit on an office PC is the root of the issue (a key-logger). The targeting of Linux boxes with the data captured from such a key-logger is not proof that Linux is vulnerable, but a choice of the hacker, surely?
    I should have omitted the Linux part -- it was said in context of the post I was replying to -- e.g. this distro is immune, this is not (in fact, windows logins, ISP login details, or even bank details could also be at risk).
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  29. #1029
    Join Date
    Apr 2011
    Posts
    223
    Ramnet, thanks for posting this!

    Quote Originally Posted by ramnet View Post
    I am as well.
    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.
    If you have a server affected by this, your workstation has been compromised.
    Steven & Nenelod - thanks for all the hard work you've put into investigating this!

    May I ask whether either of you have tested which antivirus/malware scanner that is able to detect this keylogger?

    That will be very helpful for all those managing servers to advise their clients to do a thorough scan of their PCs/laptops with scanners that can actually detect this rogue keylogger.

  30. #1030
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by FastServ View Post
    I should have omitted the Linux part -- it was said in context of the post I was replying to -- e.g. this distro is immune, this is not (in fact, windows logins, ISP login details, or even bank details could also be at risk).
    Indeed, the only really safe place from anything is in your room with everything switched off, but even that is relative

  31. #1031
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Quote Originally Posted by vpswing View Post
    Ramnet, thanks for posting this!



    Steven & Nenelod - thanks for all the hard work you've put into investigating this!

    May I ask whether either of you have tested which antivirus/malware scanner that is able to detect this keylogger?

    That will be very helpful for all those managing servers to advise their clients to do a thorough scan of their PCs/laptops with scanners that can actually detect this rogue keylogger.

    I don't actually have access to it yet. However nenolod has shared that malwarebytes picked it up.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.

  32. #1032
    Join Date
    Dec 2009
    Posts
    140
    I have several antivirus installed (on different machines) all are up to date. If someone sends me the malware I can scan it for you.

  33. #1033
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    scanners ran

    Im currently doing third scan on the same box .
    This is the only box I could have been infected on in my option.

    I found nothing with
    spybot
    nothing with MS Malware scanner
    now running malware bytes

    will advice soon as it finishes.
    Only thing I have confirmed thus far is I do have over 3 million files on my box




    Quote Originally Posted by vpswing View Post
    Ramnet, thanks for posting this!



    Steven & Nenelod - thanks for all the hard work you've put into investigating this!

    May I ask whether either of you have tested which antivirus/malware scanner that is able to detect this keylogger?

    That will be very helpful for all those managing servers to advise their clients to do a thorough scan of their PCs/laptops with scanners that can actually detect this rogue keylogger.

  34. #1034
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by bdx33 View Post
    I have several antivirus installed (on different machines) all are up to date. If someone sends me the malware I can scan it for you.
    It's been previously stated that 'Malwarebytes Anti-Malware' picked it up. If you have an infected box that you have accessed from the scanned PC, could you please post the scan output from that PC here so the community can see it? If you have any malware found results of course.
    Last edited by matbz; 02-20-2013 at 11:02 PM. Reason: appended "If you have any malware found results of course."

  35. #1035
    Join Date
    Apr 2011
    Posts
    223
    Quote Originally Posted by Steven View Post
    I don't actually have access to it yet. However nenolod has shared that malwarebytes picked it up.
    Thanks Steven!

    Quote Originally Posted by ThreadHo View Post
    Im currently doing third scan on the same box .
    This is the only box I could have been infected on in my option.

    I found nothing with
    spybot
    nothing with MS Malware scanner
    now running malware bytes

    will advice soon as it finishes.
    Only thing I have confirmed thus far is I do have over 3 million files on my box
    Thanks ThreadHo!

  36. #1036
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by ThreadHo View Post
    Im currently doing third scan on the same box .
    This is the only box I could have been infected on in my option.
    Well, you must remember that the earliest reports of this infection go all the way back to August 2012. That's a huge 7 month window of possibilities. The infection on your server may have been laying dormant for months.

    You also have to keep in mind that it is possible one of your workstation computers was infected and cleaned up ages ago, and you have since forgotten about it.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  37. #1037
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ramnet View Post
    You also have to keep in mind that it is possible one of your workstation computers was infected and cleaned up ages ago, and you have since forgotten about it.
    Or not even known about it.

  38. #1038
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    Third Scan complete

    Malwarebytes found nothing
    MS malware scan nothing
    Spybot scan nothing on to forth

  39. #1039
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    Your right on forget

    I did have java update that installed a tool bar and more when i forgot to un-check that little box. I had to restore after that. Possible I wiped it out then .

    Quote Originally Posted by ramnet View Post
    Well, you must remember that the earliest reports of this infection go all the way back to August 2012. That's a huge 7 month window of possibilities. The infection on your server may have been laying dormant for months.

    You also have to keep in mind that it is possible one of your workstation computers was infected and cleaned up ages ago, and you have since forgotten about it.

  40. #1040
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ThreadHo View Post
    Malwarebytes found nothing
    MS malware scan nothing
    Spybot scan nothing on to forth
    But you have an infected box?
    Was there anyone else who had root ssh access to the infected box?

Page 26 of 39 FirstFirst ... 1623242526272829 36 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •