Page 65 of 102 FirstFirst ... 15556263646566676875 ... LastLast
Results 961 to 975 of 1523
  1. #961
    flopunctro,

    Could you send me a copy?

    jake.alexander at runbox dot com

  2. #962
    So, any more news for tonight from that abused server?
    not much from me. I had a bunch of invalid password logins in /var/log/secure from the usual suspect IP's after I removed the exploit.

    But, I had not changed the root password (on purpose as I was PCAP'ing). So if someone had compormised the root password for this machine, then why would they not try that and instead just try the password embedded in libkeyutils.so.1.9? Putting on a white hat for a second, if I had 2 passwords, a one from a rootkit and a one from a compromised user, I would not try just one and then stop when I get no where. I try them both. That didnt happen.

    Compromised root passwords is a good possibility, but for some reason its just not gelling with me right now. Call it a hunch.

  3. #963

    InfosecNewsBot info

    The InfosecNewsBot sent out this tweet which has links to this thread as well as some other good information. It looks like some malware scanners are starting to pick this up:

    Linux/CentOS SSHd Spam Exploit libkeyutils.so.1.9: Someone shared a sample of the Linux root... bit.ly/12O9kKL #infosec #malware

  4. #964
    Join Date
    Oct 2011
    Location
    England, UK
    Posts
    101
    I am 100% with Steve on his theory of local machine hacking. Reading this thread in Chrome, e-mail from CSF:

    "lfd on [server]: WHM/cPanel root access alert from [my home IP]"

    SSH inbound is firewalled on this server, this came in via WHM. No tab open to that server in Chrome, no passwords saved in Chrome. Lastpass never used. I have a local file with passwords in it (yeah, insecure!) and likely had the password to that server in my clipboard.

    Windows 8 x64, Panda Antivrus, MalwareBytes Pro (realtime shields active). TeamViewer, Last.fm, Spotify, FileZilla, Putty, Trillian, MS Word, Winamp, Dropbox running.

    Chrome Plugins: default + Java (latest). Chrome Extensions: Checker Plus for Gmail, Google Docs, Google Tasks (by Google), PageRank Status, Speed Dial, Thin Scroll Bar, TweetDeck, Yet another flags.

    Any other info you need to know, please ask.
    Xagga Hosting - extra-value UK-based web host
    VPSnodes.net - the UK's ultimate VPS provider

    t: 020 33 973 775 | e: contact[at]ellogroup.com

  5. #965
    Join Date
    Sep 2012
    Posts
    52
    Use Adblocker

  6. #966
    Join Date
    Nov 2010
    Location
    Orlando, Florida
    Posts
    88
    Hey all I'm posting this based on the suggestion of someone who suggested I modify the script a bit to user auditctl, which I've done.

    Anyone interested can get it here:

    https://www.ericgillette.com/clients/exploit-cleanup

    Code:
    wget https://www.ericgillette.com/clients/exploit-cleanup
    Then:

    Code:
    md5sum ./exploit-cleanup
    Should match: 35d43e7a7294c7d28255d0d4ca3f135e

    Then:

    Code:
    sh ./exploit-cleanup
    For users who would like to know and read through what this script does:

    This will attempt to move the file into a directory where if requested, you can supply the file to requestors here.

    In addition, it will attempt to symlink to an existing library on your system that *may* or *may not* be accurate since system configurations, and versions vary somewhat -- that said you can execute the commands in the script individually if you prefer, otherwise you use it at your own risk.

    Ironically, I've received multiple messages from various users who have thanked me for creating the script, incorporating some of the suggestions of others, and for maintaining the script up to this point, despite the negativity and unhelpful attitudes of some.

    That said, to those that have expressed their opinions concerning the script prior, your opinions will have no effect on what I decide to do, so it's probably better to just keep them to yourself, rather than cluttering the thread with more of your opinions.

    As I said prior, agree to disagree, and move on -- find something new to have an opinion about, you'll be better off.

    To the users who privately thanked me, and asked me to continue maintaining the script -- thank you very much, and I'll continue to do the best I can, while the others investigate, because I do not have the time to investigate on an ongoing basis like some of the other guys do.

    I do have some quarantined files both 32-bit and 64-bit if anyone needs them, though I have posted them previously -- just PM me and I'll be happy to provide the files in both 32-bit and 64-bit models.
    Server Security | Disaster Planning | PCI Compliance | Virtualization

    http://www.ericgillette.com
    800-665-2370

  7. #967
    Join Date
    Apr 2008
    Location
    Romania
    Posts
    17
    As far as I can see right now, on the logs I monitor the bot does no care about logging clearly he does not verify if the password still works.

    So, the hacker probably had no root password, but he logged in just once to install and after he does not care anymore about comming back unless the libkey will ping him with a new user/pass or something. Or he has priority on new hacked and not blacklisted servers

    So please, who have abused servers make a cron monitoring script to check for /home/tmpp and if exists to stop the networking on that server so you can preserve whatever the botnet drops there. (and hopefully the servers will be hacked again)
    Last edited by demil; 02-20-2013 at 06:10 PM.

  8. #968
    Join Date
    Aug 2004
    Posts
    136
    Old sample I got from flupcntro similar to what we are facing now a sample of history shows stuff like :

    perl -e 'print "abcdefghijklmnopqrstuvwxyz\nbiz\ninfo\nnet\n";' >> 1.tmp


    which matches parts of the de-obfuscatd code we have

  9. #969
    Join Date
    Jan 2013
    Posts
    357
    Anyone noticed this ?

    Code:
    [~]# for i in `du -a /lib64/ | grep -v '@' | awk {'print $2'}`; do rpm -qf $i | grep 'not owned by any package'; done
    
    file /lib64/libkeyutils.so.1.3.2 is not owned by any package
    file /lib64/security/pam_hulk.so is not owned by any package

  10. #970
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by egillette View Post
    Hey all I'm posting this based on the suggestion of someone who suggested I modify the script a bit to user auditctl, which I've done.

    Anyone interested can get it here:

    https://www.ericgillette.com/clients/exploit-cleanup

    Code:
    wget https://www.ericgillette.com/clients/exploit-cleanup
    Then:

    Code:
    md5sum ./exploit-cleanup
    Should match: 35d43e7a7294c7d28255d0d4ca3f135e

    Then:

    Code:
    sh ./exploit-cleanup
    For users who would like to know and read through what this script does:

    This will attempt to move the file into a directory where if requested, you can supply the file to requestors here.

    In addition, it will attempt to symlink to an existing library on your system that *may* or *may not* be accurate since system configurations, and versions vary somewhat -- that said you can execute the commands in the script individually if you prefer, otherwise you use it at your own risk.

    Ironically, I've received multiple messages from various users who have thanked me for creating the script, incorporating some of the suggestions of others, and for maintaining the script up to this point, despite the negativity and unhelpful attitudes of some.

    That said, to those that have expressed their opinions concerning the script prior, your opinions will have no effect on what I decide to do, so it's probably better to just keep them to yourself, rather than cluttering the thread with more of your opinions.

    As I said prior, agree to disagree, and move on -- find something new to have an opinion about, you'll be better off.

    To the users who privately thanked me, and asked me to continue maintaining the script -- thank you very much, and I'll continue to do the best I can, while the others investigate, because I do not have the time to investigate on an ongoing basis like some of the other guys do.

    I do have some quarantined files both 32-bit and 64-bit if anyone needs them, though I have posted them previously -- just PM me and I'll be happy to provide the files in both 32-bit and 64-bit models.
    Thanks for making the script. I've had to use scripts like this before in a pinch and they come in handy. Its useful not just for the people infected today but anyone who gets infected by this a year or two down the road.

  11. #971
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by egillette View Post
    In addition, it will attempt to symlink to an existing library on your system that *may* or *may not* be accurate since system configurations, and versions vary somewhat
    Seriously, you need to stop distributing that script before you break anyone elses system.

    If you had any sense your script would do basic sanity checks (checking that /lib64/libkeyutils.so.1.3 or /lib/libkeyutils.so.1.3 exists) before moving a critical (if infected) system library and symlinking to another library that may or may not exist.

    You have already broken several people's systems due to your lack of sanity checks.

    Something like this:

    Code:
    if [ -f $exploit64 ] ; then
        echo "$exploit64 was found on this system. . ."
        if [ ! -f /lib64/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    
    if [ -f $exploit32 ] ; then
        echo "$exploit32 was found on this system. . ."
        if [ ! -f /lib/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    You need to fix that before you break anyone elses system. These simple changes at the very least would make your script safe to run on non-RHEL/CentOS 6 based systems.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  12. #972
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by Olly-ellogroup View Post
    I am 100% with Steve on his theory of local machine hacking.
    I am as well.

    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.

    If you have a server affected by this, your workstation has been compromised.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  13. #973
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by ramnet View Post
    Seriously, you need to stop distributing that script before you break anyone elses system.

    If you had any sense your script would do basic sanity checks (checking that /lib64/libkeyutils.so.1.3 or /lib/libkeyutils.so.1.3 exists) before moving a critical (if infected) system library and symlinking to another library that may or may not exist.

    You have already broken several people's systems due to your lack of sanity checks.

    Something like this:

    Code:
    if [ -f $exploit64 ] ; then
        echo "$exploit64 was found on this system. . ."
        if [ ! -f /lib64/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    
    if [ -f $exploit32 ] ; then
        echo "$exploit32 was found on this system. . ."
        if [ ! -f /lib/libkeyutils.so.1.3 ]; then 
        echo "You are infected, but this script can not help you further. Review your system manually."
        exit 0
        fi
        <<rest of your script here>>
    You need to fix that before you break anyone elses system. These simple changes at the very least would make your script safe to run on non-RHEL/CentOS 6 based systems.
    Layoff the script already, we're all fellow members of the opensource community, a community built on people writing scripts and code and freely distrubuting it for other people to use and add to. If you want to modify that script, or create your own script you're more than welcome to do so.

  14. #974
    Join Date
    Feb 2013
    Posts
    32
    Quote Originally Posted by ramnet View Post
    I am as well.

    nenolod and Steven actually have a copy of the rootkit keylogger that has caused this. It affects workstations and sends out keystrokes in dns packets out port 53.

    He used this infected workstation system to login to a honeypot and a few hours later that honeypot was hit.

    IP's all match the suspect IP's here.

    If you have a server affected by this, your workstation has been compromised.
    Thanks for this, I concur as well as malware was detected on my local PC after running scans. (Appears the malware entered through some sort of java exploit at least on my machine) unsure if this is what actually caused the compromise in my case however it makes sense.

    Do you have any more info on this rootkit keylogger so i can have a look over it?

  15. #975
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by jalapeno55 View Post
    Layoff the script already
    His script will take down any system that is not a CentOS 6.x or RHEL 6.x system.

    His script as it stands right now is more dangerous to the stability of your server than the exploit he is trying to fix.

    All because he can't be bothered to do a basic one line sanity check.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

Page 65 of 102 FirstFirst ... 15556263646566676875 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •