Page 67 of 102 FirstFirst ... 17576465666768697077 ... LastLast
Results 991 to 1,005 of 1523
  1. #991
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,763
    Quote Originally Posted by ThreadHo View Post
    What malware is infesting the desktop I have scanner many times find none. can someone elaborate on what it is how to remove or suggest another tool to look for it?
    What scanner are you using?

    First if it is something like Norton or God forbid Mcafee then forget it. First thing a good java infection does is plant itself in and hides from what ever virus scanner you have installed on the system so it becomes useless at finding it. Download a new scanner I like Avast myself since it was the only one to reliable detect the Gumbler virus when it was first out. Disable your current scanner and let the new one scan the system. Don't trust what you already have installed.

  2. #992
    Join Date
    Feb 2013
    Posts
    97

    Smile

    Quote Originally Posted by ramnet View Post
    This is from about 8 hours ago:

    Code:
    <nenolod> interesting
    <nenolod> we found a rootkit on tortoiselabs office equipment
    <nenolod> running windows 7
    <nenolod> and our OVH creds were changed from that machine
    <steven> oh noes the h4x
    <nenolod> i wonder if it is related to SSHD thing
    <steven> good question
    <steven> get to work
    <steven> :P
    <nenolod> i have the binaries, i intend to look at them in a bit with idapro
    <nenolod> btw
    <nenolod> the rootkit
    <nenolod> was sending keystrokes as DNS requests
    <nenolod> to the same russian IP
    <steven> which ip
    <steven> what did you use to pickup the rootkit
    <nenolod> the 78.x nameserver ip
    <steven> gotcha
    <nenolod> i used tcpdump while typing into the keyboard on the errant machine
    <nenolod> i then disconnected it from the network :P
    <nenolod> rabbit:/home/nenolod# apk audit --system
    <nenolod> M  /lib/libkeyutils.so.1 -> /lib/libkeyutils.so.1.9
    <nenolod> ?  /lib/libkeyutils.so.1.9            
    <nenolod> well, that's concerning
    <nenolod> and, /tmp contains a copy of openssh source
    <steven> even the great neno has been h4x
    <nenolod> this is new
    <nenolod> and it is a honeypot
    <nenolod> it's supposed to be h4x
    <nenolod> the concerning part is that they seem to build the rootkit on the machine
    <nenolod> observation: why would sshd link against libkeyutils.so?
    <nenolod> ran apk fix
    <steven> kernel key management
    <ramnet> nenolod, did you access your honeypot from the workstation that had the keylogger on it?
    <nenolod> as a matter of fact, yes!
    <ramnet> so, you've pretty much confirmed that's what the cause of the hack is then
    <steven> nenolod would you be willing to pass me the windows rootkit?
    <nenolod> steven, yeah as soon as i have a chance to get the machine network-accessible again
    May we ask, how or with what software was the root-kit discovered? Time for everyone to scan for it perhaps?
    Last edited by matbz; 02-20-2013 at 07:28 PM. Reason: typo

  3. #993
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    35

    thanks

    will try your suggestion
    i suspect it maybe a login from home


    Quote Originally Posted by Techark View Post
    What scanner are you using?

    First if it is something like Norton or God forbid Mcafee then forget it. First thing a good java infection does is plant itself in and hides from what ever virus scanner you have installed on the system so it becomes useless at finding it. Download a new scanner I like Avast myself since it was the only one to reliable detect the Gumbler virus when it was first out. Disable your current scanner and let the new one scan the system. Don't trust what you already have installed.

  4. #994
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by matbz View Post
    May we ask, how or with what software was the root-kit discovered? Time for everyone to scan for it perhaps?
    <ramnet> nenolod, how did you find that windows rootkit earlier? where was it's payload located?
    <nenolod> ramnet, i just ran malware bytes anti malware, and it was a file in C:\Windows\System32 running as LOCAL_SERVICE permissions
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  5. #995
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by ramnet View Post
    <ramnet> nenolod, how did you find that windows rootkit earlier? where was it's payload located?
    <nenolod> ramnet, i just ran malware bytes anti malware, and it was a file in C:\Windows\System32 running as LOCAL_SERVICE permissions
    Thanks very much ramnet!! Potentially the most useful post in this entire thread

    Anyone affected by this should do the same asap, and please post back to the community with their results.

  6. #996
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,439
    Can anyone confirm if servers without CSF have been infected ?
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed and Self-Managed hosting solutions
    Toll free: 1.888.915.4400 / Local: 1.514.316.1885 / Live chat
    Cloud VPS Hosting

  7. #997
    Join Date
    Nov 2012
    Posts
    74
    It doesn't have to be a local computer that could be infected. Somebody earlier mentioned that it was possible that techs at cPanel (for example) could be compromised:

    I say these because a previous post ringed a bell for me: there is a guy here that sent his root password to CPanel support, and a few days later his server was compromised. Maybe CPanel had some kind of data leak ?
    The ONLY server that got hit on my network was the one server that I gave cPanel my root password to investigate an issue I was having. All my other servers have been fine and my computer at my office is the only computer I use to access them. So as I said, it is very possible that computers at places like cPanel can also be compromised.

  8. #998
    Join Date
    Sep 2012
    Posts
    52
    Quote Originally Posted by brianemwd View Post
    It doesn't have to be a local computer that could be infected. Somebody earlier mentioned that it was possible that techs at cPanel (for example) could be compromised:



    The ONLY server that got hit on my network was the one server that I gave cPanel my root password to investigate an issue I was having. All my other servers have been fine and my computer at my office is the only computer I use to access them. So as I said, it is very possible that computers at places like cPanel can also be compromised.
    DirectAdmin servers are also infected.

  9. #999
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by brianemwd View Post
    It doesn't have to be a local computer that could be infected. Somebody earlier mentioned that it was possible that techs at cPanel (for example) could be compromised:
    That's correct.

    Any workstation used to login to any given server is an attack vector.

    That includes people with multiple computers at their home or office, people you hire for server management duties, datacenter techs logging in, and anyone else that had your server's login info on their computer and used it.
    Last edited by ramnet; 02-20-2013 at 08:11 PM.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  10. #1000
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,439
    <<snipped>>

    So far we have had a few infections the only constant(most likely a coincidence) is that they're running CSF.

    Just throwing it out there because CSF does have an auto update feature.
    Last edited by bear; 02-21-2013 at 09:14 AM.
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed and Self-Managed hosting solutions
    Toll free: 1.888.915.4400 / Local: 1.514.316.1885 / Live chat
    Cloud VPS Hosting

  11. #1001
    Join Date
    Nov 2012
    Posts
    74
    Quote Originally Posted by coldbeer View Post
    DirectAdmin servers are also infected.
    Yep and my post said "for example" to reflect that. No where did in my post did I imply that ONLY cpanel servers were being infected. All I am saying is it is very possible that if a work station exploit is behind these attacks then it would be possible that companies such as cPanel (and there would be others) could have some of their techs compromised.

  12. #1002
    Join Date
    Feb 2013
    Posts
    32
    Quote Originally Posted by ramnet View Post
    That's correct.

    Any workstation used to login to any given server is an attack vector.

    That includes people with multiple computers at their home or office, people you hire for server management duties, and anyone else that had your login info on their computer and used it.
    ramnet, your posts have been most useful. Has there been any indication that the malware on windows machines has the ability to spread over local networks, infecting other vulnerable machines on your network. Has there also been any indication that there may be some sort of packet sniffing occurring? I am wondering if there are other methods than just keylogging the machine it's on. If this is the case then may need to check all machines in your local network or networks that have been used to access your linux servers.

  13. #1003
    Join Date
    Apr 2009
    Location
    USA / UK
    Posts
    4,553
    Quote Originally Posted by Hellsheep View Post
    ramnet, your posts have been most useful. Has there been any indication that the malware on windows machines has the ability to spread over local networks, infecting other vulnerable machines on your network. Has there also been any indication that there may be some sort of packet sniffing occurring? I am wondering if there are other methods than just keylogging the machine it's on. If this is the case then may need to check all machines in your local network or networks that have been used to access your linux servers.
    Based on what I've heard I don't believe the malware propagates over a local area network, as a single workstation in an office environment was compromised while other similar systems on the LAN weren't.

    That doesn't mean it isn't possible though. nenolod and Steven are still busy analyzing it.
    RAM Host -- Premium & Budget Linux Hosting From The USA & EU
    █ Featuring Powerful cPanel CloudLinux Shared Hosting
    █ & Cheap Premium Virtual Dedicated Servers
    Follow us on Twitter

  14. #1004
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,256
    Quote Originally Posted by serve-you View Post
    This was my point. Of course we know Steven, huck, and a few others here run server management companies and are very well known. Random people who just appear in this thread out of nowhere should not be trusted.
    I would hope that goes without saying

    I have noticed a bunch of "noobs" though suddenly asking people.... Can't imagine anyone stupid enough to go along with though.....

    ▲ ▲

  15. #1005
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,439
    Ok nevermind, we have servers with CSF that haven't been infected.
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed and Self-Managed hosting solutions
    Toll free: 1.888.915.4400 / Local: 1.514.316.1885 / Live chat
    Cloud VPS Hosting

Page 67 of 102 FirstFirst ... 17576465666768697077 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •