[ALUG] EBury-Rootkit an cPanel
Andreas Tauscher
ta at geuka.net
Sat Feb 15 15:04:30 EAT 2014
Somehow this rootkit is back after an year. [1]
If you Linux Server is affected you can easy check:
If ipcs -m is giving an output like this:
------ Shared Memory Segments --------
key shmid owner perms bytes nattch
0x000006e0 65538 root 666 3283128 0
A 3 megabytes shared memory segment with full access rights: It is quiet
sure you are affected.
The owner might vary.
If you see DNS queries going out from your server with host names like
5742e5e76c1ab8c01b1defa5.1.2.3.4 is also an indicator.
At [1] you find also a snort rule for detecting EBury specific traffic.
Up to now most affected systems have been using cPanel.
Here some additional informations how to verify if your server is
infected: [2] [3]
If you are affected: Save your data and wipe the entire system.
Andreas
[1] https://www.cert-bund.de/ebury-faq
[2] http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CompSystem
[3] https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
More information about the Linux
mailing list