Seems to have made the BBC news

**405hp** · 01-17-2008 09:41 AM

Done

Your Request id is: 233094.

**cPanelTodd** · 01-17-2008 10:11 AM

Thanks for the ticket!

**dragon2611** · 01-17-2008 06:54 PM

A patched kernel (patched to stop /dev/mem or /dev/kmem being written) e.g the Grsecuirty patch is rumored to stop the rootkit becoming active and serving up the exploit code.

It may not stop it getting into the system but at least it should mean that your not giving your visitors any nasty surprises when they visit one of your clients sites.

**cPanelTodd** · 01-17-2008 07:00 PM

Originally Posted by dragon2611

A patched kernel (patched to stop /dev/mem or /dev/kmem being written) e.g the Grsecuirty patch is rumored to stop the rootkit becoming active and serving up the exploit code.

It may not stop it getting into the system but at least it should mean that your not giving your visitors any nasty surprises when they visit one of your clients sites.

This is correct. A kernel patch such as Grsecurity that blocks the writing to /dev/kmem or /dev/mem will stop the rootkit from being active. However, the server will still be compromised and will remain infected until it is properly recovered.

**dragon2611** · 01-17-2008 07:55 PM

Originally Posted by cPanelTodd

This is correct. A kernel patch such as Grsecurity that blocks the writing to /dev/kmem or /dev/mem will stop the rootkit from being active. However, the server will still be compromised and will remain infected until it is properly recovered.

Although I wish someone would make a scanner to find traces of infection even if it is inactive.
At least with the patched kernel your not infecting a lot of peoples machines with who knows what which ultimately has to be a good thing. (far to many people on the internet that don't relise they should install security software and any OS security patches)

I'll certainly feel better once the experts find out just how this thing actually gets there in the first place and can come up with a better defense against it, got hit once As far as I know managed to keep it from hitting us a second time so far.

**rs-freddo** · 01-17-2008 08:51 PM

Originally Posted by dragon2611

As far as I know managed to keep it from hitting us a second time so far.

What extra steps have you taken?

**yayyo** · 01-18-2008 06:21 AM

Just FYI

http://news.bbc.co.uk/1/hi/technology/7193993.stm

I assume that's the same problem being discussed here.

**pjman** · 01-18-2008 06:37 AM

That article says "they are trying to exploit known vulnerabilities in open source content management software that the sites are using." So, I'm guessing they found a link between the boxes that are infected. CMOS Software on Sites?

**405hp** · 01-18-2008 10:03 AM

That article says "they are trying to exploit known vulnerabilities in open source content management software that the sites are using." So, I'm guessing they found a link between the boxes that are infected. CMOS Software on Sites?

Most of those 'news' reports are just re-blathering content meant to increase sales of the virus blockers.

As a reference point I can eliminate a lot of things because we are so small. Fresh installs of php 5 and mysql 5. Our server has 2 accounts using xoops on it - just using admin users. One using wordpress. 1 smf forum 3 phpbb forums (only one active. The other 2 are locked down.). 3 coppermine installs. 2 using front page extensions. The rest are pretty much static php and html.

**dragon2611** · 01-18-2008 02:22 PM

Originally Posted by rs-freddo

What extra steps have you taken?

I had a server management company come in and set the system up after the DC had reloaded it, then I also built a grsec kernel for the box.
I've also loaded a new Mod_security ruleset rather than rely on the default cpanel one.

**nabuhonodozor** · 01-18-2008 04:11 PM

dragon2611 please tell what mod_security rules are You using.
best regards,
Piotr

**ramprage** · 01-18-2008 04:26 PM

It's also a good idea to throw Nobody Check on there, limit access to system binaries like wget, get a virus scanner like f-prot and also use Upload Guardian for real-time upload protection and scheduled directory scanning for shell kits, and more nasties.

**dragon2611** · 01-18-2008 04:32 PM

Originally Posted by nabuhonodozor

dragon2611 please tell what mod_security rules are You using.
best regards,
Piotr

http://forums.cpanel.net/showthread.php?t=71069

The ones linked to by bazzi

**pjman** · 01-21-2008 01:59 PM

http://www.pcworld.com/article/id,14...1/article.html

"Web site administrators, on the other hand, should disable dynamic loading in their Apache module configurations."

Todd anything to add to this?

Anyone that hit, did you ever host with: Fasthosts?

**cPanelTodd** · 01-21-2008 02:13 PM

This isn't going to be linked to the fasthosts issue.

That article sums things up pretty well. It is believed that passwords are being compromised. This isn't proven but an educated guess based on information that has been gathered so far. Apache modules aren't believed to be used in this rootkit as many folks have speculated. But once again, there isn't much solid information on the specific exploits used yet.

Unfortunately, the recent press and publicity this rootkit has received has caused it to slow down and become harder to investigate as infected servers aren't popping up as often.

LinkBack

Thread Tools

Seems to have made the BBC news

Thanks for the article.

Came across this article today

Virus on the server?

Strange Virus On cPanel server

What is best anti-virus / anti-spam solution for cpanel server?

How to: Spam+Virus Protection for cPanel server using Exiscan+Clamav+RBL+Spamassassin

strange mailserver problem on a cpanel server