Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSHD Rootkit

Discussion in 'Security' started by prajithp13, Feb 16, 2013.

Thread Status:
Not open for further replies.
  1. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Jesse / Jeff - You are recommending a reformat/rebuild - however, with such a large volume of servers breached and the specific vulnerability unknown, how are you protecting yourself with a rebuild? We'd first have to know how to avoid the breach in order for a rebuild to not suffer from the very same vulnerability.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Is there currently any benefit to reinstalling ssh or to turning off ssh in WHM's service manager until the source of the vulnerability and resolution is found?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. BianchiDude

    BianchiDude Well-Known Member PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
    May be a good idea, however there is no evidence at this point its an SSH vulnerablity.
     
  4. BianchiDude

    BianchiDude Well-Known Member PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
  5. biodocs

    biodocs Member

    Joined:
    Jun 27, 2008
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Regina
  6. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I've been following the thread. I did not want to post there because I don't want to disrupt the investigation efforts. However, my question here was whether or not turning off ssh entirely (on an already-infected box) would seem to serve any useful purpose? From the WHT point, I'm not perfectly clear on the point re: whether or not ssh must actually be active in order for the attacker behavior to be occurring. A few of the details are beyond my level of expertise.

    Thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. biodocs

    biodocs Member

    Joined:
    Jun 27, 2008
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Regina
    There are conflicting options on that subject, some say its only part of the issue. It getting way above my head i must say.
     
  8. TheVisitors

    TheVisitors Active Member

    Joined:
    Mar 19, 2012
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    56
    cPanel Access Level:
    Root Administrator
    I had a fresh copy of CentOS 6.3 updated with a fresh copy of cPanel current (updated), just installed yesterday.

    Surprise!

    Guess I'll need to wait for a fix on this.
     
  9. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Saw your post there. Wondering if any boxes with SSH entirely disabled were vulnerable. Though it wouldn't prove anything, because they simply may not have been targeted. Though it's noteworthy that non-standard port SSH boxes were hit, which somewhat argues against the password authentication theory (which I believe was disproven either way.)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. biodocs

    biodocs Member

    Joined:
    Jun 27, 2008
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Regina
    Its seems this is not fixed with new install either glad i didnt take that option earlier.

    see the whm thread i quote

    Originally Posted by TheVisitors
    Well doesn't it figure....

    I install a fresh copy of CentOS 6.3 with cPanel current and in less than 2 hours.... BAM

    I had changed Ssh ports and made a pass code over 400 letters, numbers, and symbols long.... Still got despite all this.

    Little "tool" keeps changing my ssh log-in now. Can't turn it off, we need ssh.
     
  11. BianchiDude

    BianchiDude Well-Known Member PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
    It seems no, as they seem to be getting in, at least initially without SSH, but it hasn't been conclusively disproven that this is not an SSH exploit.
     
  12. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    108
    Likes Received:
    1
    Trophy Points:
    168
    We haven't had any of our boxes compromised as detailed, but we lock down SSH...

    disable password authorisation
    use SSH keys
    close port 22 allowing certain IP addresses only
     
  13. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Although I realize this has been seen on non-cpanel boxes, I'm wondering if cPanel is using internal resources to investigate this as well, given the suggestion that it would seem cpanel has access to a lot of data points and resources which could prove extremely productive for this investigation.

    Given the current line of thinking on the WHT thread, looking for correlation to possible a possible tainted RPM, I can't help but think about the fact that cPanel had recently converted to RPM-based install.

    My system had complained about Munin's RPM on Jan 31, I did a YUM Update late Feb 1, and my changed file date on the hacked file is Feb 2 just about four hours thereafter.

    I've posted more extensive details on the WHT thread.

    SSHD Rootkit Rolling around - Page 28 - Web Hosting Talk
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    316
    Likes Received:
    5
    Trophy Points:
    68
  15. BianchiDude

    BianchiDude Well-Known Member PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
  16. alex[nl]

    alex[nl] Registered

    Joined:
    Apr 2, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    151
  17. BianchiDude

    BianchiDude Well-Known Member PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
    No I have a few different versions.
     
  18. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    My version shows as follows -

    [email protected] [~]# curl --version
    curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
    Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
    Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

    Looks like I need to upgrade via EasyApache? Does anybody know what the current EasyApache version being installed is? This is odd, because I just did an EasyApache rebuild a couple days ago ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. BianchiDude

    BianchiDude Well-Known Member PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    166
    That exploit seems to be for the curl binary and not the curl module for php installed via easy apache.

    There's not a PoC for it that I've found so its not likely that is MoE
     
  20. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    108
    Likes Received:
    1
    Trophy Points:
    168
    Doubtful, on a compromised machine curl-7.19.7 was installed.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice