Page 39 of 61 FirstFirst ... 293637383940414249 ... LastLast
Results 951 to 975 of 1523
  1. #951
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,867
    Quote Originally Posted by dittoa View Post
    It does NOT EXIST - so how can you tell anything about it. NEXT NEXT NEXT, STUPID NEXT - you said that way to many times in this thread. I am ignoring all your post in the future.
    The fact that you think libproxy has anything to do in the SLIGHTEST with the exploit sums up your knowledge about what you are trying to help with... Good intentions are great and all, but at least know what you are referencing.

  2. #952
    Join Date
    Aug 2004
    Posts
    136
    flopunctro would you please mail ur findings to kre80r [at] gmail

  3. #953
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by flopunctro View Post
    > Please ignore users that joined earlier than a month.

    Sure, always a good idea! Newcomers are nothing but trouble. /s

    dicoemil: please don't offer to fix people's servers for free. There be dragons that way

    That being said, let's get constructive.

    I am a freelance sysadmin, I administer ~80 linuxes, mostly CentOSes installed by me and up-to-date. I have checked a handful of them and found no infection so far. They are very diverse: CPanel, DirectAdmin, mailservers, internet routers, fileserver. Some have ssh on 22, some on nonstandard ports. Some have password auth enabled, some don't. Most of them are CentOS, and some of them are Debian and Ubuntu.
    The common denominator is that only I have root access on them, and I login as root with key.

    I say these because a previous post ringed a bell for me: there is a guy here that sent his root password to CPanel support, and a few days later his server was compromised. Maybe CPanel had some kind of data leak ?

    Until 2 years ago, I worked at some online-solutions software shop, and during my last months of work there I have fought a targeted attacker with a similar Modus Operandi.
    While I haven't found the entry vector, the compromise was always like this:
    - (somehow get root)
    - download a "trojaned" openssh kit, compile and install it
    - the compromised ssh and sshd would send a UDP packet on all incoming and outgoing password logins -- even on failed ones.

    The attacker was stubborn enough to repeat this over and over again, and also not skilled enough to evade our booby traps. So I managed to intercept his commands and the source code of his trojaned openssh. However, my C skills are not good enough to attempt any analysis.

    Now, me being an old rkhunter user and its mailing-list lurker, I hope that the UnSpawn that commented here a few pages ago is the same UnSpawn that's a maintainer for rkhunter.
    If yes, UnSpawn: you might remember I sent you this tarball and the commands history, on 2011-03-01, with the hope that you might include some signature (strings in the binary files, or you-know-better-what) with the hope that the next version of rkhunter will detect this type of compromise.

    Now, if somebody is still interested in that tarball, just ask; i'm gonna be around for ~1h and refreshing this thread. Also, I wouldn't mind a more real-time discussion, maybe IRC or skype.

    Flo
    That is the same UnSpawn, please share evidence and findings with handlers @ isc.sans .edu. UnSpawn contacted Sans and they are investigating this.

  4. #954
    Join Date
    Aug 2008
    Posts
    534
    Quote Originally Posted by dittoa View Post
    CentOS just released a update that I first thought might be related, but something is wrong and I am confused. Look at this update from today:

    [CentOS-announce] CESA-2013:0271 Critical CentOS 6 libproxy Update http://www.mail-archive.com/centos-a.../msg07244.html

    But that page link to the firefox security update from RedHat https://rhn.redhat.com/errata/RHSA-2013-0271.html

    And when I look after the "libproxy" update at RedHat, it is nowhere to be found: https://rhn.redhat.com/errata/rhel-server-6-errata.html
    You'll find the libproxy updates here:
    https://rhn.redhat.com/errata/RHSA-2013-0271.html

    The Advisory of that page is RHSA-2013:0271. Now search for that here:
    https://rhn.redhat.com/errata/rhel-server-6-errata.html

    Edit: in other words there is nothing to worry about. Just look better
    Regards,
    Yourwebhoster.eu [NL] based hosting
    Shared | Reseller | KVM VPS | Reseller VPS

  5. #955
    Join Date
    Dec 2001
    Posts
    55
    Quote Originally Posted by flopunctro View Post
    > Please ignore users that joined earlier than a month.

    Sure, always a good idea! Newcomers are nothing but trouble. /s

    dicoemil: please don't offer to fix people's servers for free. There be dragons that way

    That being said, let's get constructive.

    I am a freelance sysadmin, I administer ~80 linuxes, mostly CentOSes installed by me and up-to-date. I have checked a handful of them and found no infection so far. They are very diverse: CPanel, DirectAdmin, mailservers, internet routers, fileserver. Some have ssh on 22, some on nonstandard ports. Some have password auth enabled, some don't. Most of them are CentOS, and some of them are Debian and Ubuntu.
    The common denominator is that only I have root access on them, and I login as root with key.

    I say these because a previous post ringed a bell for me: there is a guy here that sent his root password to CPanel support, and a few days later his server was compromised. Maybe CPanel had some kind of data leak ?

    Until 2 years ago, I worked at some online-solutions software shop, and during my last months of work there I have fought a targeted attacker with a similar Modus Operandi.
    While I haven't found the entry vector, the compromise was always like this:
    - (somehow get root)
    - download a "trojaned" openssh kit, compile and install it
    - the compromised ssh and sshd would send a UDP packet on all incoming and outgoing password logins -- even on failed ones.

    The attacker was stubborn enough to repeat this over and over again, and also not skilled enough to evade our booby traps. So I managed to intercept his commands and the source code of his trojaned openssh. However, my C skills are not good enough to attempt any analysis.

    Now, me being an old rkhunter user and its mailing-list lurker, I hope that the UnSpawn that commented here a few pages ago is the same UnSpawn that's a maintainer for rkhunter.
    If yes, UnSpawn: you might remember I sent you this tarball and the commands history, on 2011-03-01, with the hope that you might include some signature (strings in the binary files, or you-know-better-what) with the hope that the next version of rkhunter will detect this type of compromise.

    Now, if somebody is still interested in that tarball, just ask; i'm gonna be around for ~1h and refreshing this thread. Also, I wouldn't mind a more real-time discussion, maybe IRC or skype.

    Flo
    A link to the tarball would be good :-)

  6. #956
    Quote Originally Posted by patchwork View Post
    A link to the tarball would be good :-)
    I'd rather not make suspicious code publicly available. I can email it to you.

  7. #957
    Join Date
    Apr 2008
    Location
    Romania
    Posts
    17
    Quote Originally Posted by coldbeer View Post
    Please stop trolling.

    You're another troll here.

    Please ignore users that joined earlier than a month.

    You can block these IPs in your firewall to make sure they can't connect to your server(s).
    Code:
    78.47.139.110
    94.23.23.153
    94.23.72.193
    188.165.129.30
    87.230.54.65
    46.105.108.166
    46.105.20.166
    178.162.248.74
    We should make a list together. Btw, I temporarily blocked France in CSF (set CC_DENY to FR) to make sure French OVH IPs can't connect anymore.
    Well, this account is better if is older? Now my trust increased with +1?

    The ips you post above, I posted them few pages back, if I can't be trusted, then why are you using them? Filtering those IP's wont fix your server, sooner or later some more IP's will popup. Like today ip 93.170.106.210 appeared, so you can add that too.

    And yes is "smart" if you block countries If you have no clue what RNB is, then here is some news for you. I'm pretty sure they have abused machines from where they can connect to your server on each country on this planet, probably even North Pole... Thats why I want to find this bug, because they are skilled compared with most sysadmins.

  8. #958
    Quote Originally Posted by coldbeer View Post
    Please ignore users that joined earlier than a month.
    Dont tar us all with the same brush. Some of us have just forgotten our login details and our old rescue email accounts are connected to long expired domain names

    http://www.webhostingtalk.com/member.php?u=125335

  9. #959
    Join Date
    Apr 2008
    Location
    Romania
    Posts
    17
    And actually plexy had the best input/debug in last 24 hours. So, any more news for tonight from that abused server?

    @flopunctro as you know the problem is not the backdooring right now, is how the attacker downloaded the backdoor on the server and more important how he got root on such a big variety of configurations.

  10. #960
    Join Date
    Dec 2001
    Posts
    55
    Quote Originally Posted by flopunctro View Post
    I'd rather not make suspicious code publicly available. I can email it to you.
    Thanks flopunctro

    patchwork14 hotmail dot com

  11. #961
    flopunctro,

    Could you send me a copy?

    jake.alexander at runbox dot com

  12. #962
    So, any more news for tonight from that abused server?
    not much from me. I had a bunch of invalid password logins in /var/log/secure from the usual suspect IP's after I removed the exploit.

    But, I had not changed the root password (on purpose as I was PCAP'ing). So if someone had compormised the root password for this machine, then why would they not try that and instead just try the password embedded in libkeyutils.so.1.9? Putting on a white hat for a second, if I had 2 passwords, a one from a rootkit and a one from a compromised user, I would not try just one and then stop when I get no where. I try them both. That didnt happen.

    Compromised root passwords is a good possibility, but for some reason its just not gelling with me right now. Call it a hunch.

  13. #963

    InfosecNewsBot info

    The InfosecNewsBot sent out this tweet which has links to this thread as well as some other good information. It looks like some malware scanners are starting to pick this up:

    Linux/CentOS SSHd Spam Exploit libkeyutils.so.1.9: Someone shared a sample of the Linux root... bit.ly/12O9kKL #infosec #malware

  14. #964
    Join Date
    Oct 2011
    Location
    England, UK
    Posts
    101
    I am 100% with Steve on his theory of local machine hacking. Reading this thread in Chrome, e-mail from CSF:

    "lfd on [server]: WHM/cPanel root access alert from [my home IP]"

    SSH inbound is firewalled on this server, this came in via WHM. No tab open to that server in Chrome, no passwords saved in Chrome. Lastpass never used. I have a local file with passwords in it (yeah, insecure!) and likely had the password to that server in my clipboard.

    Windows 8 x64, Panda Antivrus, MalwareBytes Pro (realtime shields active). TeamViewer, Last.fm, Spotify, FileZilla, Putty, Trillian, MS Word, Winamp, Dropbox running.

    Chrome Plugins: default + Java (latest). Chrome Extensions: Checker Plus for Gmail, Google Docs, Google Tasks (by Google), PageRank Status, Speed Dial, Thin Scroll Bar, TweetDeck, Yet another flags.

    Any other info you need to know, please ask.
    Xagga Hosting - extra-value UK-based web host
    VPSnodes.net - the UK's ultimate VPS provider

    t: 020 33 973 775 | e: contact[at]ellogroup.com

  15. #965
    Join Date
    Sep 2012
    Posts
    52
    Use Adblocker

  16. #966
    Join Date
    Nov 2010
    Location
    Orlando, Florida
    Posts
    88
    Hey all I'm posting this based on the suggestion of someone who suggested I modify the script a bit to user auditctl, which I've done.

    Anyone interested can get it here:

    https://www.ericgillette.com/clients/exploit-cleanup

    Code:
    wget https://www.ericgillette.com/clients/exploit-cleanup
    Then:

    Code:
    md5sum ./exploit-cleanup
    Should match: 35d43e7a7294c7d28255d0d4ca3f135e

    Then:

    Code:
    sh ./exploit-cleanup
    For users who would like to know and read through what this script does:

    This will attempt to move the file into a directory where if requested, you can supply the file to requestors here.

    In addition, it will attempt to symlink to an existing library on your system that *may* or *may not* be accurate since system configurations, and versions vary somewhat -- that said you can execute the commands in the script individually if you prefer, otherwise you use it at your own risk.

    Ironically, I've received multiple messages from various users who have thanked me for creating the script, incorporating some of the suggestions of others, and for maintaining the script up to this point, despite the negativity and unhelpful attitudes of some.

    That said, to those that have expressed their opinions concerning the script prior, your opinions will have no effect on what I decide to do, so it's probably better to just keep them to yourself, rather than cluttering the thread with more of your opinions.

    As I said prior, agree to disagree, and move on -- find something new to have an opinion about, you'll be better off.

    To the users who privately thanked me, and asked me to continue maintaining the script -- thank you very much, and I'll continue to do the best I can, while the others investigate, because I do not have the time to investigate on an ongoing basis like some of the other guys do.

    I do have some quarantined files both 32-bit and 64-bit if anyone needs them, though I have posted them previously -- just PM me and I'll be happy to provide the files in both 32-bit and 64-bit models.
    Server Security | Disaster Planning | PCI Compliance | Virtualization

    http://www.ericgillette.com
    800-665-2370

  17. #967
    Join Date
    Apr 2008
    Location
    Romania
    Posts
    17
    As far as I can see right now, on the logs I monitor the bot does no care about logging clearly he does not verify if the password still works.

    So, the hacker probably had no root password, but he logged in just once to install and after he does not care anymore about comming back unless the libkey will ping him with a new user/pass or something. Or he has priority on new hacked and not blacklisted servers

    So please, who have abused servers make a cron monitoring script to check for /home/tmpp and if exists to stop the networking on that server so you can preserve whatever the botnet drops there. (and hopefully the servers will be hacked again)
    Last edited by demil; 02-20-2013 at 06:10 PM.

  18. #968
    Join Date
    Aug 2004
    Posts
    136
    Old sample I got from flupcntro similar to what we are facing now a sample of history shows stuff like :

    perl -e 'print "abcdefghijklmnopqrstuvwxyz\nbiz\ninfo\nnet\n";' >> 1.tmp


    which matches parts of the de-obfuscatd code we have

  19. #969
    Join Date
    Jan 2013
    Posts
    361
    Anyone noticed this ?

    Code:
    [~]# for i in `du -a /lib64/ | grep -v '@' | awk {'print $2'}`; do rpm -qf $i | grep 'not owned by any package'; done
    
    file /lib64/libkeyutils.so.1.3.2 is not owned by any package
    file /lib64/security/pam_hulk.so is not owned by any package

  20. #970
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by egillette View Post
    Hey all I'm posting this based on the suggestion of someone who suggested I modify the script a bit to user auditctl, which I've done.

    Anyone interested can get it here:

    https://www.ericgillette.com/clients/exploit-cleanup

    Code:
    wget https://www.ericgillette.com/clients/exploit-cleanup
    Then:

    Code:
    md5sum ./exploit-cleanup
    Should match: 35d43e7a7294c7d28255d0d4ca3f135e

    Then:

    Code:
    sh ./exploit-cleanup
    For users who would like to know and read through what this script does:

    This will attempt to move the file into a directory where if requested, you can supply the file to requestors here.

    In addition, it will attempt to symlink to an existing library on your system that *may* or *may not* be accurate since system configurations, and versions vary somewhat -- that said you can execute the commands in the script individually if you prefer, otherwise you use it at your own risk.

    Ironically, I've received multiple messages from various users who have thanked me for creating the script, incorporating some of the suggestions of others, and for maintaining the script up to this point, despite the negativity and unhelpful attitudes of some.

    That said, to those that have expressed their opinions concerning the script prior, your opinions will have no effect on what I decide to do, so it's probably better to just keep them to yourself, rather than cluttering the thread with more of your opinions.

    As I said prior, agree to disagree, and move on -- find something new to have an opinion about, you'll be better off.

    To the users who privately thanked me, and asked me to continue maintaining the script -- thank you very much, and I'll continue to do the best I can, while the others investigate, because I do not have the time to investigate on an ongoing basis like some of the other guys do.

    I do have some quarantined files both 32-bit and 64-bit if anyone needs them, though I have posted them previously -- just PM me and I'll be happy to provide the files in both 32-bit and 64-bit models.
    Thanks for making the script. I've had to use scripts like this before in a pinch and they come in handy. Its useful not just for the people infected today but anyone who gets infected by this a year or two down the road.

  21. #971
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by egillette View Post
    In addition, it will attempt to symlink to an existing library on your system that *may* or *may not* be accurate since system configurations, and versions vary somewhat
    Seriously, you need to stop distributing that script before you break anyone elses system.

    If you had any sense your script would do basic sanity checks (checking that /lib64/libkeyutils.so.1.3 or /lib/libkeyutils.so.1.3 exists) before moving a critical (if infected) system library and symlinking to another library that may or may not exist.

    You have already broken several people's systems due to your lack of sanity checks.

    Something like this:

    Code:
    if [ -f $exploit64 ] ; then
        echo "$exploit64 was found on this system. . ."
        if [ ! -f /lib64/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    
    if [ -f $exploit32 ] ; then
        echo "$exploit32 was found on this system. . ."
        if [ ! -f /lib/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    You need to fix that before you break anyone elses system. These simple changes at the very least would make your script safe to run on non-RHEL/CentOS 6 based systems.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  22. #972
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by Olly-ellogroup View Post
    I am 100% with Steve on his theory of local machine hacking.
    I am as well.

    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.

    If you have a server affected by this, your workstation has been compromised.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  23. #973
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by ramnet View Post
    Seriously, you need to stop distributing that script before you break anyone elses system.

    If you had any sense your script would do basic sanity checks (checking that /lib64/libkeyutils.so.1.3 or /lib/libkeyutils.so.1.3 exists) before moving a critical (if infected) system library and symlinking to another library that may or may not exist.

    You have already broken several people's systems due to your lack of sanity checks.

    Something like this:

    Code:
    if [ -f $exploit64 ] ; then
        echo "$exploit64 was found on this system. . ."
        if [ ! -f /lib64/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    
    if [ -f $exploit32 ] ; then
        echo "$exploit32 was found on this system. . ."
        if [ ! -f /lib/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    You need to fix that before you break anyone elses system. These simple changes at the very least would make your script safe to run on non-RHEL/CentOS 6 based systems.
    Layoff the script already, we're all fellow members of the opensource community, a community built on people writing scripts and code and freely distrubuting it for other people to use and add to. If you want to modify that script, or create your own script you're more than welcome to do so.

  24. #974
    Join Date
    Feb 2013
    Posts
    32
    Quote Originally Posted by ramnet View Post
    I am as well.

    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.

    If you have a server affected by this, your workstation has been compromised.
    Thanks for this, I concur as well as malware was detected on my local PC after running scans. (Appears the malware entered through some sort of java exploit at least on my machine) unsure if this is what actually caused the compromise in my case however it makes sense.

    Do you have any more info on this rootkit keylogger so i can have a look over it?

  25. #975
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by jalapeno55 View Post
    Layoff the script already
    His script will take down any system that is not a CentOS 6.x or RHEL 6.x system.

    His script as it stands right now is more dangerous to the stability of your server than the exploit he is trying to fix.

    All because he can't be bothered to do a basic one line sanity check.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

Page 39 of 61 FirstFirst ... 293637383940414249 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •