Page 42 of 61 FirstFirst ... 323940414243444552 ... LastLast
Results 1,026 to 1,050 of 1523
  1. #1026
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,303
    Quote Originally Posted by FastServ View Post
    Based on the recent findings as well as evidence in this thread:

    If it's a linux server and connected to the internet, it's vulnerable.


    Stop asking if such and such distro is safe or not.
    ^ That argument can be applied to anything connect to the Internet. Because nothing is 100% guaranteed hack / crack proof. If there is a will there is always away.

    My question is not toward "can" something be hacked / cracked.... That would an illogical argument because the answer is yes. Everything can be.

    My question was at this time does this single issue currently affect Debian? My findings so far would suggest at least for the moment, no. But I would like to know if anyone else (one of WHT more experienced and well know users) could confirm or deny if this single issue at this moment affect Debian.

    I believe it is a valid (even if you do not).

    ▲ ▲

  2. #1027
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by FastServ View Post
    ...

    If it's a linux server and connected to the internet, it's vulnerable.


    ...
    If I may... I don't IMHO think that's entirely true, you are drawing a distinction that is not yet qualified. There is evidence within this thread that a root-kit on an office PC is the root of the issue (a key-logger). The targeting of Linux boxes with the data captured from such a key-logger is not proof that Linux is vulnerable, but a choice of the hacker, surely?

  3. #1028
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,479
    Quote Originally Posted by matbz View Post
    If I may... I don't IMHO think that's entirely true, you are drawing a distinction that is not yet qualified. There is evidence within this thread that a root-kit on an office PC is the root of the issue (a key-logger). The targeting of Linux boxes with the data captured from such a key-logger is not proof that Linux is vulnerable, but a choice of the hacker, surely?
    I should have omitted the Linux part -- it was said in context of the post I was replying to -- e.g. this distro is immune, this is not (in fact, windows logins, ISP login details, or even bank details could also be at risk).
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Ashburn VA + San Diego CA Datacenters

  4. #1029
    Join Date
    Apr 2011
    Posts
    223
    Ramnet, thanks for posting this!

    Quote Originally Posted by ramnet View Post
    I am as well.
    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.
    If you have a server affected by this, your workstation has been compromised.
    Steven & Nenelod - thanks for all the hard work you've put into investigating this!

    May I ask whether either of you have tested which antivirus/malware scanner that is able to detect this keylogger?

    That will be very helpful for all those managing servers to advise their clients to do a thorough scan of their PCs/laptops with scanners that can actually detect this rogue keylogger.

  5. #1030
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by FastServ View Post
    I should have omitted the Linux part -- it was said in context of the post I was replying to -- e.g. this distro is immune, this is not (in fact, windows logins, ISP login details, or even bank details could also be at risk).
    Indeed, the only really safe place from anything is in your room with everything switched off, but even that is relative

  6. #1031
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,259
    Quote Originally Posted by vpswing View Post
    Ramnet, thanks for posting this!



    Steven & Nenelod - thanks for all the hard work you've put into investigating this!

    May I ask whether either of you have tested which antivirus/malware scanner that is able to detect this keylogger?

    That will be very helpful for all those managing servers to advise their clients to do a thorough scan of their PCs/laptops with scanners that can actually detect this rogue keylogger.

    I don't actually have access to it yet. However nenolod has shared that malwarebytes picked it up.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  7. #1032
    Join Date
    Dec 2009
    Posts
    138
    I have several antivirus installed (on different machines) all are up to date. If someone sends me the malware I can scan it for you.

  8. #1033
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    35

    scanners ran

    Im currently doing third scan on the same box .
    This is the only box I could have been infected on in my option.

    I found nothing with
    spybot
    nothing with MS Malware scanner
    now running malware bytes

    will advice soon as it finishes.
    Only thing I have confirmed thus far is I do have over 3 million files on my box




    Quote Originally Posted by vpswing View Post
    Ramnet, thanks for posting this!



    Steven & Nenelod - thanks for all the hard work you've put into investigating this!

    May I ask whether either of you have tested which antivirus/malware scanner that is able to detect this keylogger?

    That will be very helpful for all those managing servers to advise their clients to do a thorough scan of their PCs/laptops with scanners that can actually detect this rogue keylogger.

  9. #1034
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by bdx33 View Post
    I have several antivirus installed (on different machines) all are up to date. If someone sends me the malware I can scan it for you.
    It's been previously stated that 'Malwarebytes Anti-Malware' picked it up. If you have an infected box that you have accessed from the scanned PC, could you please post the scan output from that PC here so the community can see it? If you have any malware found results of course.
    Last edited by matbz; 02-20-2013 at 11:02 PM. Reason: appended "If you have any malware found results of course."

  10. #1035
    Join Date
    Apr 2011
    Posts
    223
    Quote Originally Posted by Steven View Post
    I don't actually have access to it yet. However nenolod has shared that malwarebytes picked it up.
    Thanks Steven!

    Quote Originally Posted by ThreadHo View Post
    Im currently doing third scan on the same box .
    This is the only box I could have been infected on in my option.

    I found nothing with
    spybot
    nothing with MS Malware scanner
    now running malware bytes

    will advice soon as it finishes.
    Only thing I have confirmed thus far is I do have over 3 million files on my box
    Thanks ThreadHo!

  11. #1036
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by ThreadHo View Post
    Im currently doing third scan on the same box .
    This is the only box I could have been infected on in my option.
    Well, you must remember that the earliest reports of this infection go all the way back to August 2012. That's a huge 7 month window of possibilities. The infection on your server may have been laying dormant for months.

    You also have to keep in mind that it is possible one of your workstation computers was infected and cleaned up ages ago, and you have since forgotten about it.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  12. #1037
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ramnet View Post
    You also have to keep in mind that it is possible one of your workstation computers was infected and cleaned up ages ago, and you have since forgotten about it.
    Or not even known about it.

  13. #1038
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    35

    Third Scan complete

    Malwarebytes found nothing
    MS malware scan nothing
    Spybot scan nothing on to forth

  14. #1039
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    35

    Your right on forget

    I did have java update that installed a tool bar and more when i forgot to un-check that little box. I had to restore after that. Possible I wiped it out then .

    Quote Originally Posted by ramnet View Post
    Well, you must remember that the earliest reports of this infection go all the way back to August 2012. That's a huge 7 month window of possibilities. The infection on your server may have been laying dormant for months.

    You also have to keep in mind that it is possible one of your workstation computers was infected and cleaned up ages ago, and you have since forgotten about it.

  15. #1040
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ThreadHo View Post
    Malwarebytes found nothing
    MS malware scan nothing
    Spybot scan nothing on to forth
    But you have an infected box?
    Was there anyone else who had root ssh access to the infected box?

  16. #1041
    Join Date
    Feb 2013
    Posts
    15
    Steven, Scott, mattbz, and everyone else involved in this. Thank you for your selfless efforts and dedication towards this cause. Mattbz, thankfully, I was able to restore my missing libraries and get my server back online thanks to a very good friend of mine. Just giving you an update on that as well.

    Thank you all

  17. #1042
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    35

    I though I was Alone

    Besides me on this desktop only cpanel and the data center which is "suppose" to be terminal. With a lot of the cpanel staff working remote using IP proxy and all i wonder


    Quote Originally Posted by matbz View Post
    But you have an infected box?
    Was there anyone else who had root ssh access to the infected box?

  18. #1043
    Join Date
    Feb 2013
    Location
    /dev/null aka Ohio
    Posts
    61

    me 2

    Quote Originally Posted by plexy View Post
    Dont tar us all with the same brush. Some of us have just forgotten our login details and our old rescue email accounts are connected to long expired domain names
    Thats me - rather than fight trying to figure out the old login - since I have not been in the community for heck at least a year if not more - I just created a new account.

  19. #1044
    Join Date
    Feb 2013
    Location
    /dev/null aka Ohio
    Posts
    61

    Steve ? are we sure this is from malware ?

    Quote Originally Posted by Steven View Post
    I don't actually have access to it yet. However nenolod has shared that malwarebytes picked it up.

    Steve are we 100% sure this is from malware?
    reason I ask (trying to catch up on literally 70 pages now of this )

    We use MAC's
    Not a PC in our office.

    So trying to figure out if it is malware how we got hit.
    One pain on a MAC is that it does not have the best way to do maldetect but is not as easy to infect (yet) {hoping i dont start a war on pc vs. mac - not my intention}

    Anyhow - Steve sent you an email to follow up as well.

  20. #1045
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ThreadHo View Post
    Besides me on this desktop only cpanel and the data center which is "suppose" to be terminal. With a lot of the cpanel staff working remote using IP proxy and all i wonder
    Sorry I should have been more particular in my question... has anyone else accessed the box using user 'root'? Just asking to make it clear the possibility of a rootkit infected local machine (PC) or not.

  21. #1046
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    35

    thats it

    Those are the only possibilities me cpanel and data center
    all three use root at some point.


    Quote Originally Posted by matbz View Post
    Sorry I should have been more particular in my question... has anyone else accessed the box using user 'root'? Just asking to make it clear the possibility of a rootkit infected local machine (PC) or not.

  22. #1047
    Join Date
    Feb 2013
    Location
    /dev/null aka Ohio
    Posts
    61

    root users?

    Quote Originally Posted by matbz View Post
    Sorry I should have been more particular in my question... has anyone else accessed the box using user 'root'? Just asking to make it clear the possibility of a rootkit infected local machine (PC) or not.
    that is an interesting thought.

    Only users who have root access are for us

    1. Me (on a MAC)
    2. two staffers (also on MAC)
    3. cPanel
    4. IPMI and KVM but we connect to those on a MAC.

    I am concerned that if this was a MalWare issue HOW DO WE FIND IT ON A MAC.

    Thus far Eset has not picked it up. Neither has MacScan from Secure Mac


    Our MACs do not have JAVA and they do not have Flash.
    (makes browsing some sites a bit more fun that way )

    We have one workstation that does have JAVA which we use to connect to a kvm on Proxmox - but that is all it does.
    does not browse the web just to be safe otherwise.

  23. #1048
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,259
    Quote Originally Posted by cloudhopping View Post
    Steve are we 100% sure this is from malware?
    reason I ask (trying to catch up on literally 70 pages now of this )

    We use MAC's
    Not a PC in our office.

    So trying to figure out if it is malware how we got hit.
    One pain on a MAC is that it does not have the best way to do maldetect but is not as easy to infect (yet) {hoping i dont start a war on pc vs. mac - not my intention}

    Anyhow - Steve sent you an email to follow up as well.
    Quote Originally Posted by cloudhopping View Post
    that is an interesting thought.

    Only users who have root access are for us

    1. Me (on a MAC)
    2. two staffers (also on MAC)
    3. cPanel
    4. IPMI and KVM but we connect to those on a MAC.

    I am concerned that if this was a MalWare issue HOW DO WE FIND IT ON A MAC.

    Thus far Eset has not picked it up. Neither has MacScan from Secure Mac


    Our MACs do not have JAVA and they do not have Flash.
    (makes browsing some sites a bit more fun that way )

    We have one workstation that does have JAVA which we use to connect to a kvm on Proxmox - but that is all it does.
    does not browse the web just to be safe otherwise.

    I want to put emphasis on this.
    We do not know if its 100% malware, but it is one of the likely suspects because on what we know and the wide variety of servers it affects..

    Also, for mac lovers. You are not infallible to malware.

    And this is exactly what I was talking about when I mentioned back connect a few days ago.

    New Mac malware opens secure reverse shell
    http://reviews.cnet.com/8301-13727_7...reverse-shell/

    With something like this, it does not matter if you firewall off your server, they can login through your own mac and it looks like YOU logged in.
    Last edited by Steven; 02-21-2013 at 12:16 AM.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  24. #1049
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,479
    Quote Originally Posted by cloudhopping View Post
    that is an interesting thought.
    ...
    4. IPMI and KVM but we connect to those on a MAC.
    ...
    Our MACs do not have JAVA and they do not have Flash.
    ...

    You've got Java on your Mac if you use an IPMI console from it.

    There's another post somewhere in this thread mentioning ssh locked down to an office full of macs and server compromised (Debian in fact!).
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Ashburn VA + San Diego CA Datacenters

  25. #1050
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,479
    FYI, if anyone is running DD-WRT at your home or office you can block the malware's payload by enabling dnsmasq for local DNS, then redirecting remote DNS traffic to the local gateway.

    http://www.dd-wrt.com/wiki/index.php/OpenDNS

    You can take it a step further and redirect + log redirects with these extra firewall rules in Administration -> Commands -> Firewall.

    Code:
    iptables -t nat -A PREROUTING -i br0 -d ! $(nvram get lan_ipaddr) -p udp --dport 53 -j LOG --log-prefix "REDIRECT: "
    iptables -t nat -A PREROUTING -i br0 -d ! $(nvram get lan_ipaddr) -p tcp --dport 53 -j LOG --log-prefix "REDIRECT: "
    iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    Use remote syslog for extra credit.
    Last edited by FastServ; 02-21-2013 at 12:58 AM.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Ashburn VA + San Diego CA Datacenters

Page 42 of 61 FirstFirst ... 323940414243444552 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •