The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ebury infection on Server

Discussion in 'Security' started by isp, Mar 3, 2014.

  1. isp

    isp Member

    Joined:
    Mar 3, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    So here I am .... completely gutted. My server has an Ebury infection.

    This frustrates me, because I literally took every single precaution I could:

    I made sure that my root password was at least 64 characters long. It was completely random and consisted of numbers, letters and special characters. Only two people have the root password. Both of us use linux desktops to avoid exploitation.

    I kept the system updated. I install CSF firewall. I run daily malware scans. Since we have had to reinstall systems in the past we took just about every single precaution humanly possible to prevent our system being exploited. The only thing I didnt do was limit from which machine you can ssh from (for practicle reasons).

    I am now sitting with an Ebury infection. Apparently it came in an SSH package that cPanel gave me :/

    https://www.cert-bund.de/ebury-faq

    I can confirm my machine is infected:

    So I am 100% definitely infected.

    So now what do I do? The only solution that is offered is to reinstall the WHOLE server. I have almost 600 accounts on the one server. How on earth do I do this so there is no down time?

    How do I even do this?

    I feel that I did take ever possible precaution and that it was not due to negligence on my side but rather my software vendor.

    Are cPanel offering assistance to clean clients servers? Is the responsibility solely ours? Is there any assistance or advice someone can give to avoid down time?

    This could literally hurt our business in a massive way. I feel I have been let down by cPanel :/
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Have you checked the machine that you SSH to this machine from? That one may be infected.

    Unless you had a cPanel ticket in a very small window of time where they had an infected workstation, this was more likely (sadly) from something on your end and not cPanel.

    The only cases I've seen aside from stolen root passwords are due to SSHing to the newly infected box from an already infected box, or a vulnerable exploited web application existed on a system with an outdated kernel that allowed privelege escalation. If your kernel is more than a year old this easily could have happened, especially with hundreds of accounts.

    You do need to move your clients to a machine with a new OS. The last person that tried to have me just replace the compromised RPMs ended up with a non-functioning system 1-2 days later; it would not even boot. This is a very very nasty rootkit.

    Now might be a good time to consider investing in 6 smaller servers with 100 accounts each rather than having 600 accounts on one server. Just make sure you PULL data from the infected server, do NOT log in to your new server(s) from the infected one. Typically logging into the infected one via a clean machine won't risk the clean machine, but it's best to boot to a guest operating system to get your data (i.e. live boot CD / Jump drive).
     

Share This Page