Strange Virus On cPanel server

[sparek-3]

Is there any way to know if the rootkit has been installed without rebooting a server? The way I understand the numerical mkdir test will only work if the rootkit is up and running (i.e. after you have rebooted a system that has the rootkit installed) or is my thinking wrong?

Another words, if your server has been compromised, but you have not rebooted your server in several weeks, is there a way to detect the rootkit?

Apologies if this has been stated somewhere, I've read through a lot of posts and articles and did not see where there were any answers to this question, but I may have overlooked it.

[Scott.Mc]

Is there any way to know if the rootkit has been installed without rebooting a server? The way I understand the numerical mkdir test will only work if the rootkit is up and running (i.e. after you have rebooted a system that has the rootkit installed) or is my thinking wrong?

Another words, if your server has been compromised, but you have not rebooted your server in several weeks, is there a way to detect the rootkit?

Apologies if this has been stated somewhere, I've read through a lot of posts and articles and did not see where there were any answers to this question, but I may have overlooked it.

Yes see my last post, the first method you would need a qualified system administrator and I would strongly advise that you check that the administrators are actually capable of such tasks.

The second option is to sniff the packets also highlighted in my second post.

[MurdochNZ]

Thanks for the update Todd. I can confirm CentOS 5 is also affected by this exploit.

[cPanelTodd]

Thanks for the update Todd. I can confirm CentOS 5 is also affected by this exploit.

Would it be possible to submit a ticket with information on a centos5 box that has been exploited in this way? I'd like to login if possible and look around the system if it's still online in the infected state?

[MurdochNZ]

Todd, I am afraid the server has been pulled by our data centre and will be reinstalled sometime today.

[cPanelTodd]

No problem. Keep in mind that this issue has been known to re-compromise freshly reinstalled servers, so be sure to setup a good secure system after the fresh reinstall.

[MurdochNZ]

Todd,

Yes I am aware of that, but really at this point until someone comes up with an answer on how to block these little bastards it's all we can do. Better than having all our sites offline.

The boss has just told me he is going to try and get FreeBSD installed instead of a Linux derivative. Fingers crossed...

[zigzam]

Thanks for the update Todd. I can confirm CentOS 5 is also affected by this exploit.

Are you certain it was centos 5? I have seen many centos 4 servers with this exploit but no centos 5 servers.

[cPanelTodd]

It has been confirmed that this issue does exists on CentOS 5 which I would assume the issue also exists on RHEL5 as well.

[sparek-3]

Does sniffing packets as outlined at:

http://www.cpanel.net/security/notes...s_toolkit.html

Detect the rootkit if it is installed in its inactive state?

As I understand, any server could be affected by this rootkit, but it sits in an idle state until the server is rebooted, is that correct? What if you don't reboot the server, is there a way to identify the rootkit and know that it is installed but idle on the server?

The above discussion seems to indicate that running the packet sniff will tell you if the rootkit is installed, but I was under the impression that this would only work if the rootkit is installed and the server has since been rebooted.

[cPanelTodd]

Sniffing the packets will only confirm the compromise once it's active. In it's inactive state, the javascript isn't being served and will not be picked up during the tcpdump.

The easiest way to confirm the rootkit in an inactive state is to boot into a clean environment and verify the binary files on the system haven't been modified.

[405hp]

We have a private box with 15 sites if anyone wants to look around on it. Only been running a couple of weeks and it's our first so it may not be as hardened as some.


Done nothing to it as we just found out we have this gem.

CENTOS Enterprise 5 i686 on standard - WHM X v3.1.0

# tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
<script language='JavaScript' type='text/javascript' src='tmboe.js'></script>
<script language='JavaScript' type='text/javascript' src='polko.js'></script>
359 packets captured
718 packets received by filter
0 packets dropped by kernel


I got a log notice Sunday that around 15000 login attempts had occurred from a China ip which we banned a few of on monday am.

[rs-freddo]

So basically you're OK if you don't reboot. Once you reboot you should immediately check to make sure you do not have the rootkit. If you do then you need to re-install the 3 rpm's that Todd mentions (which 3 exactly?). Then you should be right till the next reboot.

[cPanelTodd]

If you still have this server available, please submit a ticket at https://tickets.cpanel.net/submit/in...eqtype=tickets and put "Attn: Todd" in the subject so I can login and take a look.

Thanks!

We have a private box with 15 sites if anyone wants to look around on it. Only been running a couple of weeks and it's our first so it may not be as hardened as some.


Done nothing to it as we just found out we have this gem.

CENTOS Enterprise 5 i686 on standard - WHM X v3.1.0

# tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
<script language='JavaScript' type='text/javascript' src='tmboe.js'></script>
<script language='JavaScript' type='text/javascript' src='polko.js'></script>
359 packets captured
718 packets received by filter
0 packets dropped by kernel


I got a log notice Sunday that around 15000 login attempts had occurred from a China ip which we banned a few of on monday am.

[pjman]

Is it just me?

or does everyone have their fingers crossed (no reboots until somebody finds something)!