Author Topic: Ebury Root Kit going around  (Read 853 times)

0 Members and 1 Guest are viewing this topic.

Offline Enterprisevpssolutions

  • 303
  • 13
  • Community Managers
  • Active Participant
  • *****
    • Skype - enterprisevpssolutions
    • Enterprise Vps Solutions
Ebury Root Kit going around
« on: March 14, 2014, 04:36:29 AM »
Just wanted to make a post as I didn't see anything yet for this in the forum.

Any and all hosts are recommend to check the shared servers as well as warn all clients about the root kit.

Ebury uses shared memory segments (SHMs) for interprocess communication.
A list of currently existing SHMs can be obtained by running 'ipcs -m'
as root. If the output shows one or more large segments (at least 3 MB)
with full permissions (666), the system is most likely infected with
Ebury.

------ Shared Memory Segments --------
key shmid owner perms bytes nattch
0x000006e0 32763 user 666 3018428 0
0x00000469 65538 root 666 4313584 0
0x0000047a 131072 smmsp 666 3966496 0

clean systems would give a better response

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x6c6c6536 0 root 600 4096 0
0x0052e2c1 425985 postgres 600 37879808 4

Again please warn all clients that have vps or dedicated servers and check your shared linux servers for the root kit.

Forgot to add that the only fix at this time is to create backups of the client data and reload the system.

More information can be found here https://www.cert-bund.de/ebury-faq

If someone has another fix please post it so we can test it.

however they are now doing it with 'signed' rpms these days.

Be very careful about logging into other servers from a compromised box, thats one way how it spreads
Enterprise Vps Solutions (VPS) - Cloud Solutions, Shared hosting, VPS , and more, Fast Dedicated Servers. Great ssl prices SSL Certs, Follow us on Twitter. Sales Question? Contact us! Send us a Request Tampa , Florida Hivelocity Datacenter