Ebury Rootkit/Backdoor trojan

[captainron19]

Recently was advised by someone with a website on my IP Address that email to MSN was being blocked.

He sent me the returned emails and upon doing a CBL Lookup it informed me of the following...

The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.

Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries or a shared library used by SSH.
Ebury infected hosts are used for criminal activities, such as sending out spam emails or hosting exploit kits.

Does anyone know of any methods for removal? I saw one page that wa slinked from the CBL site but it was way above any language or steps that I am capable of.

Any help would be appreciated

 

[JaredR.]

The only way to definitely remove a rootkit is to format all partitions on the server, then reinstall the operating system. Once a system has been root compromised, there is no way to confidently clean it up, because with root access, backdoors can be placed that you cannot detect. Essentially, once a server has been root compromised, it can never be trusted again, no matter what steps are taken to try to clean it.

Though reformatting and reinstalling is a time-consuming and sometimes frustrating process, it is ultimately less time-consuming and presents far less worry than trying to clean a server and always having the lingering uncertainty that there is a backdoor left behind. Reformatting and reinstalling makes sure that a rootkit and any associated backdoors are gone, while any other attempts at cleaning up do not.

 

[JaredR.]

I should have also mentioned that, once a compromised server has had its hard drive formatted and the operating system reinstalled, it is best to restore data from backups that were made before the compromise was discovered.

Also, since Ebury is known as a password sniffer, any server to which the known-compromised server has connected using a password - such as to transfer cPanel accounts - should be viewed with suspicion. Ebury steals log-in credentials from incoming and outgoing SSH connections, so any server to which the compromised server has connected using SSH should, at a minimum, have its root password changed, and also be checked for compromise, and a reformat and reinstall is needed if a compromise is found.

 

[quizknows]

You will probably need help from your data center.

Our teams have successfully cleaned servers of ebury by:

Add extra hard disk to server

Take FULL cPanel backups (CPmove files) and put them on the extra hard disk.

Re-format main hard disk, re-install OS and cPanel (with new root PW), restore all cpmove files, change all cPanel passwords.

Any machine that you sshed to from the compromised machine should be investigated thoroughly and is probably compromised. If you SSH to a compromised box, the password you used to connect to that box is compromised. This isn't as big of a deal as SSHing to something FROM the compromised server. However, again, any machine you ssh to from an infected machine will also have those credentials compromised. The infection mainly spreads by chaining SSH logins from an infected machine to a clean one, thus compromising the password of the clean server.

https://www.cert-bund.de/ebury-faq

 

[captainron19]

Thanks for those tips.... and another follow up.....

I did a virus scan and it found infected emails and it cleaned them but I was re-listed int he CBL and emails are blocked again

I notified my server company and they did confirm the presence of the Ebury Virus.

They replied to me with this....
"We'll setup a new vps for you with a new IP Address. Then, you will have to move all your accounts to this new vps using WHM Migration Manager.
Then you should reset the password of all the cPanel accounts to a secure password."

So my question is ....Will this work or will the IP Mitigation Manager move the virus over to the new IP address?

 

[quizknows]

Oh man

There's a very good chance WHM migration manager can spread the infection since it uses SSH. Make absolutely sure to never enter the password for your new server into your old server. If you have to use a password, make sure to only use the password for the server that's already hacked, i.e. have the clean one connect to the hacked one, not the hacked one connect to the clean one.

If possible set up a temporary password protected SSH key that you can delete the instant the transfers are done.

 

[egillette]

He should be okay if he simply connects using the WHM migration manager from the new machine to the old machine.

*Pulling* the accounts off the infected machine (which is what he'd be doing if he's using the WHM migration manager on the new machine) should be completely fine.

I had to do this on 3 of my servers recently -- what a pain in the @$$. :P

 

[quizknows]

That's what I was saying, make sure to pull, so that the only PW being used is the PW for the already infected machine. Your wording is a bit more clear than mine was

Definitely a pain, but better than running compromised hosts.

 

[JaredR.]

I did a virus scan and it found infected emails and it cleaned them but I was re-listed int he CBL and emails are blocked again

I notified my server company and they did confirm the presence of the Ebury Virus.

I just wanted to point out that Ebury/libkeyutils is not a virus; it is a rootkit. There is a difference between a virus on Windows, and a rootkit on Linux. The end effects can be similar, but they do not use the same mechanisms. A "virus" in the Windows sense would not work on Linux, but Linux servers can be root compromised, letting an unauthorized user take control.

The virus scanner ClamAV that we provide is meant to scan users' data and mail primarily for Windows viruses that would affect other Windows users, not a Linux server. Essentially, ClamAV is intended to try to prevent Windows users from infecting each other. It will not necessarily detect or quarantine malware that would infect a Linux server, and you should not depend on it for assurance that your server is not infected with malware.

Ebury is a known password/key sniffer, and its means of infecting servers appears to be by using stolen credentials. Because of that, any server that has ever logged into your server using a password or SSH key, and any server that your server has logged into using a password or SSH key, should be considered at risk. This includes any server that you have ever transferred accounts from, using the cPanel account copy tools, because they use SSH to transfer accounts.

 

[partsace]

I'm having problems understanding how this got on both my machines at about the same time. My root passwords are 24 characters (numbers/symbols/upper/lower case letters) long and one of my servers has almost every service turned off except for a few things. How is this getting on so many servers at the same time? Was this code added when someone hack either RedHat or cPanel's servers and put the EburyRootkit/Backdoor Trojan code into the stock source code?

Scott

 

[JaredR.]

Ebury/libkeyutils is a password sniffer that appears to try to steal the credentials of essentially every connection in or out of a server. If one of the two servers has ever logged into the other using a password or key, or if they have ever had the same password or key, then both are at risk of infection. Note that this infection is not limited to cPanel servers.

We recommend using keys instead of password authentication when possible. You can check your server for infection using the information on http://go.cpanel.net/checkyourserver .