I started getting some emails from our cpanel server, indicating syslogd and exim were failing.
When I logged into the server, I noticed strong indications of a misapplied root kit. When I ran ps, top, ls, netstat, md5sum, etc...I get "ELF binary type 0 not known". But not for everything, just certain typically rootkitted binaries.
See, we run cpanel on FreeBSD 8. That message is typical of trying to run a linux binary in that environment. Somebody applied a Linux rootkit to our FreeBSD cpanel box. This makes me suspect that the actual vulnerability is not OS-specific, or they wouldn't have been using the wrong rootkit.
Investigating further confirmed my suspicions; the files were the wrong size and owned by the wrong UID.
Unfortunately, I did not have time to do much in the way of forensics; I restored from backup to get our users back online.
Looking through the system, post "restore over top" (and not to a clean drive)I'm seeing this:
cpanel# find / -uid 102
/lib/libsh.so/shhk
/lib/libsh.so/shhk.pub
/lib/libsh.so/shrs
/sbin/ttyload
/sbin/ttymon
/usr/lib/libsh/.bashrc
/usr/lib/libsh/.sniff/shsniff
/usr/lib/libsh/.sniff/shp
/usr/lib/libsh/shsb
/usr/lib/libsh/hide
We have cpanel update nightly. It was running 11.28.42 at the time of the attack, I ran a manual update afterword and it's now on 11.28.45 (but nothing in the changelog indicates anything noteworthy).
I'm going to look into it further, but I wanted to get this out there ASAP, because my gut feeling is there is a new 0-day being exploited.
When I logged into the server, I noticed strong indications of a misapplied root kit. When I ran ps, top, ls, netstat, md5sum, etc...I get "ELF binary type 0 not known". But not for everything, just certain typically rootkitted binaries.
See, we run cpanel on FreeBSD 8. That message is typical of trying to run a linux binary in that environment. Somebody applied a Linux rootkit to our FreeBSD cpanel box. This makes me suspect that the actual vulnerability is not OS-specific, or they wouldn't have been using the wrong rootkit.
Investigating further confirmed my suspicions; the files were the wrong size and owned by the wrong UID.
Unfortunately, I did not have time to do much in the way of forensics; I restored from backup to get our users back online.
Looking through the system, post "restore over top" (and not to a clean drive)I'm seeing this:
cpanel# find / -uid 102
/lib/libsh.so/shhk
/lib/libsh.so/shhk.pub
/lib/libsh.so/shrs
/sbin/ttyload
/sbin/ttymon
/usr/lib/libsh/.bashrc
/usr/lib/libsh/.sniff/shsniff
/usr/lib/libsh/.sniff/shp
/usr/lib/libsh/shsb
/usr/lib/libsh/hide
We have cpanel update nightly. It was running 11.28.42 at the time of the attack, I ran a manual update afterword and it's now on 11.28.45 (but nothing in the changelog indicates anything noteworthy).
I'm going to look into it further, but I wanted to get this out there ASAP, because my gut feeling is there is a new 0-day being exploited.
