hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : [FEATURED] SSHD Rootkit Rolling around
Reply

Forum Jump

SSHD Rootkit Rolling around

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1441  
Old
WHT Addict
 
Join Date: Apr 2011
Location: Minneapolis
Posts: 118
Quote:
Originally Posted by luigidelgado View Post
I see no other choices than to point them... Or why did they changed their support system so drastically? Its not a matter of proof, its a matter of probability.

I think the true story will never go out.
Servers not running cpanel were reportedly hacked as well.

Half of the story is out already, I think the rest will get out eventually.

__________________
Hosting Coupons | Domain Coupons

Sponsored Links
  #1442  
Old
New Member
 
Join Date: Mar 2013
Posts: 2
cPanel had access to all the servers of mine which got hit. Every single one had a ticket with cPanel support recently opened for it.

Is the only way to sort the issue to reinstall the server still?

Or has anyone been working on something to circumvent the need to do this?

  #1443  
Old
Web Hosting Master
 
Join Date: Oct 2010
Location: My world U just live here
Posts: 1,255
Quote:
Originally Posted by Cryostasis View Post
cPanel had access to all the servers of mine which got hit. Every single one had a ticket with cPanel support recently opened for it.

Is the only way to sort the issue to reinstall the server still?

Or has anyone been working on something to circumvent the need to do this?
Let me try to answer this in philosophical way....

The problem about this hack is the hacker becomes the root user. As root, you're GOD. And just like GOD, you can remake the world (server) in your imagine.

Despite how advance science, even as far as we are today we do not know everything in the universe. And it is ever so likely that no matter how long we live, no matter how far we grow, and how much we learn overtime... We'll never know everything.

In other words.... There is no way for you to know everything "God" has done, is doing, or will do to your "world" (server).

LMAO .... This from an atheist.


Sorry.... I had to poke fun at this. Its been asked so many times..... The answer is, NO. You must format and restore your sites, because there is no way of know what else could be there. We could cure X tomorrow and discover W, Y, Z, 1, 2, 3 ...ect... Was also added.

__________________

▲ ▲


Sponsored Links
  #1444  
Old
New Member
 
Join Date: Mar 2013
Posts: 2
*

Quote:
Originally Posted by TheVisitors View Post
Sorry.... I had to poke fun at this. Its been asked so many times..... The answer is, NO. You must format and restore your sites, because there is no way of know what else could be there. We could cure X tomorrow and discover W, Y, Z, 1, 2, 3 ...ect... Was also added.
Brilliant answer! Made me laugh! Yeah I suspected as much -- just wanted to double check nothing had changed in the last couple of weeks before going into this.

Thanks :-)

  #1445  
Old
Aspiring Evangelist
 
Join Date: Oct 2005
Posts: 393
Quote:
Originally Posted by spendergrsec View Post
Hi guys,

I was busy for a bit (dinner, etc). Looking further into the backdoor, it's doing GOT modifications of the sshd it gets loaded into in order to hijack certain functions. For instance, it hooks:
syslog
__syslog_chk
write
audit_log_user_message
audit_log_acct_message

Presumably in response to receiving a specific password/username, for the one backdoor this is "XXXdYZulavB", it will temporarily disable logging via syslog, __syslog_chk, audit_log_user_message, and audit_log_acct_message. The write() hook will also prevent logging via stderr.

The two I looked at were sending login credentials to UDP port 53 on 78.47.139.110. I need to investigate further to see what exactly that includes, but it's clearly at least sending the login name/UID, and hostname connected to.

The attacker has three commands available: Xver, Xcat, and Xbnd. Xver displays the backdoor version, Xbnd causes the connect() hook in the backdoor to bind to a specific address before performing the connect. The Xcat command involves the shared memory in some way.

Of interesting note is that the backdoor would crash as-is with the PAX_MPROTECT feature in grsecurity enabled. If the system wasn't enforcing PaX flags with RBAC, they could just disable the feature on sshd, however. For code hooking in several locations, the region involved has its protections changed to read/write/execute -- something disallowed on a grsecurity kernel and optionally logged. The write following the RWX mprotect would fail, causing a crash of sshd.

If anyone has a 32bit version of the backdoor they could mail me, it would speed up analysis a bit as I'm doing it all statically.

-Brad
Brad, how did you find they were using XOR 81h encoding?

  #1446  
Old
Junior Guru
 
Join Date: Aug 2010
Posts: 220
Hi,

cPanel, at first, was saying this was not related to their software... ...this was correct.

...this was related to the fact one of their support tech was having a trojan on he's computer.

We got 2 servers infected by this trojan, right after we opened a ticket.

We submitted another ticket to cPanel, wondering what was this new libkey file, and 2 days later, they sent an email to all their customers saying since the last 4 months, everyone who were requesting support and were helped by some specific agents were infected by this trojan.

See this for more infos : http://cpanel.net/cpanel-inc-announc...-enhancements/

...all you need (and can) do in regards to this is transfer all your files to a new server, and change all your passwords.

We did this and no longer have any problem.

  #1447  
Old
Junior Guru
 
Join Date: Aug 2010
Posts: 220
just think twice before you provide ssh access to someone else on your server, and you will avoid such problems

...we no longer outsource support since that time, and request email only support.

  #1448  
Old
WHT Addict
 
Join Date: Aug 2004
Posts: 155
cPanel were working on a ticket and they (and me) were supprised one of the servers was brute forcing the DNS Only server (and locking itself out).

This was back in October/November!!

Seems it has been rolling around for a very long time.

In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?

  #1449  
Old
Web Hosting Master
 
Join Date: May 2002
Location: Raleigh, NC
Posts: 664
Quote:
Originally Posted by o-dog View Post
In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?
Review your firewall rules closely. Only allow incoming traffic on your firewall to ports that you need to have open to the public. Restrict connections to your SSH port to only authorized source IPs.

__________________
Tranquil Hosting
Managed Hosting | Dallas, TX | Raleigh, NC Co-location

  #1450  
Old
Junior Guru Wannabe
 
Join Date: Mar 2005
Location: Morocco
Posts: 52
So long story short! there is no real solution whatsoever for this problem? We ignore how it got there, We ignore how to get *effeciently* rid of it, and worst! even if we opt for an Os reload, we may get reinfected! That's like the killed with a spoon video.

The funny part is when you contacted cPanel, they say we can't do anything on your server as it's compromised, when we follow their checkyourserver thing, the server doesn't appear to be compromised whatsoever. Although, cPanel may be the ultimate cause for this injection in first place. It's like you got a food poisoning in a restaurant, and when you go back to the same restaurant, they won't serve food to you because you are already *infected*.

CloudLinux was kind enough to have a closer look themselves at this, and they figured out that the server is not compromised.

Today the hackers are sending out spam from the servers, what if they decide to do something else with it!

Hamza

__________________
http://www.Genious.net/ - Beyond Perpections
1st ICANN Accredited Registrar in North Africa - Shared, Cloud and Dedicated Hosting.
Email : Sales@Genious.net

  #1451  
Old
Security Ninja
 
Join Date: Mar 2003
Location: Canada
Posts: 8,744
Hamza, the general consensus among the experts of this forum is that it was most likely a localized PC infection that resulted in the compromises. That's how cPanel was infected. There is no reason to suspect a zero day exploit in any of the services right now.

If someone has as server that was 100% for sure compromised, the best advise would be to reinstall all workstations that access the server, reinstall the server and make sure Java is disabled as that is the most likely culprit that was exploited. Some people in this thread initially said that was a stupid theory about localized PC infections and when they finally did a virus scan of their PC they found some stuff related to backdoors known for stealing credentials and setting up VNC like backdoors.

A few other suggestions wouldn't be to disable password authentication and restrict SSH to certain IP ranges, if possible.

__________________
Patrick William | RACK911 Labs | Software Security Auditing
300+ Vulnerabilities Found - Get a Quote @ http://www.RACK911Labs.com

www.HostingSecList.com - Security notices for the hosting community.

  #1452  
Old
Junior Guru Wannabe
 
Join Date: Jan 2010
Posts: 34
right noq cent os 5 and cent os 6 both 32 and 64 bit are affected.. i'm under attack of this fujing rootkit..

debian 6 is secured by this rootkit..

once i install cent os my password gets hacked within 3 minutes aprox..

  #1453  
Old
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 13,149
Quote:
Originally Posted by simmer14 View Post
right noq cent os 5 and cent os 6 both 32 and 64 bit are affected.. i'm under attack of this fujing rootkit..

debian 6 is secured by this rootkit..

once i install cent os my password gets hacked within 3 minutes aprox..
Are you using the same password for every install?
What os is your workstation?

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #1454  
Old
Junior Guru Wannabe
 
Join Date: Jan 2010
Posts: 34
Quote:
Originally Posted by Steven View Post
Are you using the same password for every install?
What os is your workstation?
i use very complex alpha numeric passwords.. diffrent on every install..

Cent OS 6 and 5 64bit

Debian 6 is absolutely fine.. not even a single attempt as failed login.. as i mentioned in my other thread that these attacks are automated and are working on a server.. and attack comes from diffrent machines and hosts... i even saw failed attempts from a kimsufi.. i guess once ur box or slice is rooted then it is used to attack on others to root them.. right now the way to survive is debain 6 for me..

  #1455  
Old
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 13,149
Quote:
Originally Posted by simmer14 View Post
i use very complex alpha numeric passwords.. diffrent on every install..

Cent OS 6 and 5 64bit

Debian 6 is absolutely fine.. not even a single attempt as failed login.. as i mentioned in my other thread that these attacks are automated and are working on a server.. and attack comes from diffrent machines and hosts... i even saw failed attempts from a kimsufi.. i guess once ur box or slice is rooted then it is used to attack on others to root them.. right now the way to survive is debain 6 for me..
In theory its possible for remnants to remain resident in memory.
Have you tried pulling the power completely to the machine prior to reload?

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
****`it Rootkit, Tuxtendo Rootkit ISpy Hosting Security and Technology 4 06-22-2010 11:27 AM
Which server builds are you rolling out? GeekMe Dedicated Server 11 04-18-2010 08:03 AM
Getting the ball rolling ... policefreq New Members 1 08-19-2006 11:16 PM
Getting company to get rolling Overclocked Running a Web Hosting Business 19 08-03-2004 04:02 PM

Related posts from TheWhir.com
Title Type Date Posted
Linux Malware Operation Windigo Infects 25,000 Web Servers Web Hosting News 2014-03-19 11:44:53
Hetzner Security Breach Exposes Customer Passwords, Payment Information Web Hosting News 2013-06-07 11:20:12
cPanel Addresses User Concerns of Transfer and Backup Restore System Security Web Hosting News 2013-05-24 10:13:44
Weekend Reading – Top Web Hosting News from the Week of February 19-22, 2013 Web Hosting News 2013-02-23 09:00:58
SSHD Rootkit in the Wild Blog 2013-02-22 16:44:08


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?