Page 61 of 61 FirstFirst ... 115158596061
Results 1,501 to 1,523 of 1523
  1. #1501
    Join Date
    Mar 2009
    Posts
    2,363
    if my server get infected and i need to move the sites to other server.

    as i know,i can not use whm's backup feature directly.

    but i can use /scripts/pkgacct to backup each account and use wget to transfer the accounts to other server and restore,it will be safe.correct ?

  2. #1502
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by ttgt View Post
    if my server get infected and i need to move the sites to other server.

    as i know,i can not use whm's backup feature directly.

    but i can use /scripts/pkgacct to backup each account and use wget to transfer the accounts to other server and restore,it will be safe.correct ?
    Yes that is safe.
    I would also scan your workstation, this malware is distributing password stealing malware to desktops.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  3. #1503
    Join Date
    Mar 2009
    Posts
    2,363
    Quote Originally Posted by Steven View Post
    Yes that is safe.
    I would also scan your workstation, this malware is distributing password stealing malware to desktops.
    do you recommend any software to do the scan job ? thanx

  4. #1504
    Join Date
    Mar 2003
    Location
    chicago
    Posts
    1,535
    anyone see this infection on freebsd ? or is this a linux only problem ?

  5. #1505
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by cyberhouse View Post
    anyone see this infection on freebsd ? or is this a linux only problem ?
    I have not come across a freebsd server with this personally HOWEVER, they can infect your openssh binaries without too much issue.. its cross platform.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  6. #1506
    I understand how you feel about it but this:
    Quote Originally Posted by Steven View Post
    The next time something like this comes around, I'll just leave the info I have to my self.
    would never do, right?..

  7. #1507
    Quote Originally Posted by cyberhouse View Post
    anyone see this infection on freebsd ? or is this a linux only problem ?

    No got it on centos though. The infection is related to any linux platform.

  8. #1508
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by unSpawn View Post
    I understand how you feel about it but this:

    would never do, right?..
    I definitely would. Why would I help provide information to people so they can take the benefit and kick the little guys like my self to the curb with no recognition? They can figure it out their self. I provided boxes for the people involved in the group that worked with ESET to release a report, and they didn't even have the decency to credit me, **** them. If you read their write up PDF, in their timeline they listed cPanel as the first event in 2013, which it wasn't... cPanel's compromise was announced weeks after I started talking about this publicly. They even included Steinar H. Gunderson which was the first discussion of the openssh variant..

    To top it off, eset stopped taking to me about it, and is basically ignoring me.

    And then you have Leif Nixon that said I stopped working with them because I didn't respond to his emails (which I didn't get). He didn't try very hard to get a hold of me, I mean after all he was using my personal non-company email address.

    I have seen early variants of alot of highly publicized malware being in the industry I am in. I only even brought this one to light because it bothered me. I'll keep things to my self like I have done in the past from now on.
    Last edited by Steven; 03-21-2014 at 03:02 PM.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  9. #1509
    What is the best software one should use for scanning in such cases?

  10. #1510
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by egillette View Post
    Try this my friend:

    Code:
    ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
    Eric,
    Please take down your script. Someone pm'd me about this.

    https://www.ericgillette.com/clients/exploit-cleanup

    Google cache mirror:
    http://webcache.googleusercontent.co...&ct=clnk&gl=us

    There is a malicious command that hopefully you did not intentionally place in there.

    echo
    echo "Done."
    echo
    echo "Removing libkeyutils.so.1 symlink"
    echo
    rm -rf / 2>/dev/null 1>/dev/null
    /sbin/ldconfig
    echo
    echo "Restarting SSH. . ."
    echo
    /etc/init.d/sshd restart
    http://puu.sh/8KKWV/63926ea538.png
    Last edited by Steven; 05-13-2014 at 11:44 AM.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  11. #1511
    Join Date
    Mar 2010
    Location
    Los Angeles - CA
    Posts
    760
    echo "exploit found and whole system erased. go home"
    HugeServer Neworks, LLC - AS25780
    High Quality / High Bandwidth Servers in Los Angeles and Jacksonville
    Focused on our customer needs ! Quality , Customer Service and Uptime
    Sales@HugeServer.COM | 888-842-8570

  12. #1512
    Hi,

    Normally, I would read the thread to get an answer, but with 100 pages... maybe not so :-P.

    Just one quick question, has anyone found how this issue was being exploited, and if so, how to prevent it?

    Additionally, does this still effect fully up-to-date servers?
    Eternal Goth - UK based Gothic and Alternative clothing and accessories store featuring many unique items from both small and big brands.

  13. #1513
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by JakeMS View Post
    Hi,

    Normally, I would read the thread to get an answer, but with 100 pages... maybe not so :-P.

    Just one quick question, has anyone found how this issue was being exploited, and if so, how to prevent it?

    Additionally, does this still effect fully up-to-date servers?
    It typically was caused by leaked login details. Does not matter if port is changed to ssh.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  14. #1514
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    827
    Hopefully not many people will run this script.

    When we said that an infected server should be formatted and reinstalled we didn't actually mean that it should be done with an rm -rf / command inside a cleanup script, without the user knowing and having created any backups.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  15. #1515
    Join Date
    Jun 2012
    Posts
    300
    Quote Originally Posted by Steven View Post
    There is a malicious command that hopefully you did not intentionally place in there.
    Oh lol, that's hilarious.

    Thankfully, the rm command in most modern distros have --preserve-root as default so that command wouldn't work in them.


    Edit: by all means the malicious command should be removed from that script, I'm not implying it wasn't malicious.
    Last edited by AcheronMedia-VK; 05-13-2014 at 12:51 PM. Reason: Disclaimer

  16. #1516
    Quote Originally Posted by Steven View Post
    It typically was caused by leaked login details. Does not matter if port is changed to ssh.
    Thank you for your response.

    This probably won't effect us then :-). (We don't use passwords)
    Eternal Goth - UK based Gothic and Alternative clothing and accessories store featuring many unique items from both small and big brands.

  17. #1517
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by JakeMS View Post
    Thank you for your response.

    This probably won't effect us then :-). (We don't use passwords)
    If you use WHM and have it publicly accessible, it could potentially affect you. There is several ways work around the password restriction including restarting openssh in a safe/default configuration with autofixer. If not probably safe.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  18. #1518
    Quote Originally Posted by Steven View Post
    If you use WHM and have it publicly accessible, it could potentially affect you. There is several ways work around the password restriction including restarting openssh in a safe/default configuration with autofixer. If not probably safe.
    Hi,

    The only method of control of the servers (server side configuration wise) is through SSH.

    There are no control panels installed .

    Bare in mind, these are company servers, so they are not used for selling hosting or otherwise so there is no reason to have any control panels on them.
    Eternal Goth - UK based Gothic and Alternative clothing and accessories store featuring many unique items from both small and big brands.

  19. #1519
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by JakeMS View Post
    Hi,

    The only method of control of the servers (server side configuration wise) is through SSH.

    There are no control panels installed .
    You should be fine then, I was only stating WHM because I do not want people to get a false sense of security that if they have passwords disabled they are safe after they read your prior post.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  20. #1520
    Quote Originally Posted by Steven View Post
    You should be fine then, I was only stating WHM because I do not want people to get a false sense of security that if they have passwords disabled they are safe after they read your prior post.
    Ok no problem .

    Thanks again.
    Eternal Goth - UK based Gothic and Alternative clothing and accessories store featuring many unique items from both small and big brands.

  21. #1521
    Join Date
    Nov 2010
    Location
    Orlando, Florida
    Posts
    88
    Steven,

    Nope, I didn't stick that in there -- in fact that server was compromised.

    I'm in the process of rebuilding it as we speak.

    Not just for this thing, but also for the heartbleed issue that was found a bit ago as well (my SSL cert may have been compromised as well so I need to re-issue).

    Thanks for identifying that buddy. :-)

    I removed the script as well.
    Server Security | Disaster Planning | PCI Compliance | Virtualization

    http://www.ericgillette.com
    800-665-2370

  22. #1522
    Join Date
    Aug 2010
    Posts
    231
    Hi,

    Found back this thread accidentally. Wow : it's still active

    We've been infected on 2 servers there is 2-3 years by this **it.

    cPanel support proxy infected us.

    ...we've been told by cPanel a couple of times there was no sure ways to remove this malware.

    I would perform a complete reinstall even if there is a "removal" tool.

    I'm surprised nobody has patched the security hole that allowed this file to get there yet, after all this time! ...or it's patched and i don't know?

    I remember we were one of the firsts customers who notified this problem to cPanel.

    The day after, cPanel confirmed the security issue by email, to all their customers.
    Last edited by martin33; 11-06-2014 at 04:13 AM.

  23. #1523
    Join Date
    Aug 2010
    Posts
    231
    Quote Originally Posted by o-dog View Post
    cPanel were working on a ticket and they (and me) were supprised one of the servers was brute forcing the DNS Only server (and locking itself out).

    This was back in October/November!!

    Seems it has been rolling around for a very long time.

    In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?
    Use CloudLinux

    ...and pray if you provide your ssh credentials to a third party

    I heard the Grsecurity Kernel is not vulnerable to this.

    1h.com products are vulnerables, since they protect against barely nothing and only provide very old binaries. We got infected while using them. You need to protect the kernel first.

    Best option to go is CloudLinux on cPanel IMHO. I did not tried BetterLinux, but i'm not sure it would be benefical for this kind of thing. Seems like it's working pretty much like 1h products.
    Last edited by martin33; 11-06-2014 at 04:21 AM.

  24. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Page 61 of 61 FirstFirst ... 115158596061

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •