Malware
I received the following email from my hosts - I have a dedicated centos server with cpanel. I have been informed that was a fault with cpanel and that I now have malware and the only fix is to reinstall the os. This is a massive process, and I cannot believe there isn't a fix for this that does not entail an os reinstall. Any advice would be greatly appreciated.
Here's the email:
[QUOTE]The malware we are talking about is a system base infection (sshd) that provide a backdoor root access to a hacker, spy and steal password.
This is why we invite you to re-install the server.
Thank you to provide us the result of the following commands:
# procnumber=$(ps aux | grep "/usr/sbin/sshd" | grep -v grep | awk '{print $2}') && gcore $procnumber && strings -a core.$procnumber | egrep "Version 1.3|g:sshd:1|key:1|g:%s:%s|u:%s:%s|ssh:1|getspnam|ekfwbqltizpdvurjnacshxogym|Sniffing packet"
# rpm -V keyutils-libs
# lsof -Pni | grep
More discussion on (cpanel forum):
[url=http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CompSystem]Determine Your System's Status
-
The SSHD backdoor has nothing to do with cPanel. It can be installed on any machine running SSHD if the machine was compromised on a root level. Sorry to say it, but if a server is compromised on a root level you really should let them reinstall the OS. Yes, you could replace the compromised SSHD library (libkeyutils) and restart the service to remove that backdoor, but there is no telling what other areas of your system may be compromised beyond repair. I'd start here: [url=http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CompSystem#How%20to%20Check%20Your%20System%20for%20the]Determine Your System's Status If the rpm verification for libkeyutils fails or the symlink goes to a file that does not belong to an RPM, your system is indeed owned (rooted) and you should reinstall your OS. 0 -
Thanks for the insights and advice guys - I'm probably going to do a reinstall shortly; how do I protect myself so that this doesn't happen again? 0 -
Hello :) A good place to start for general security recommendations is the cPanel Security Advisor. It's documented at: cPanel - Security Advisor Thank you. 0 -
Security advisor is a good place to start. Root compromises usually result from either out-dated kernel versions allowing a web app hack to escalate priveleges, or a compromise of the root password. The first is easy to defend against; when a new kenel comes out, install it and reboot to make it active. The second you can help with by doing things like disallowing direct root ssh login, and firewalling your WHM port off to only trusted IP addresses. 0
Please sign in to leave a comment.
Comments
4 comments