Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSHD Rootkit

Discussion in 'Security' started by prajithp13, Feb 16, 2013.

Thread Status:
Not open for further replies.
  1. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    306
    Likes Received:
    1
    Trophy Points:
    316
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Frank - Are you not running CSF on these servers? The current CSF version detects the issue and emails you an alert.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    108
    Likes Received:
    1
    Trophy Points:
    168
    I have been following that thread, I don't see your point though?

    - - - Updated - - -

    Since the rootkit hooks the PEM_write_RSAPrivateKey and PEM_write_DSAPrivateKey functions (and potentially the ssh-keygen utility), could you please update your advice to everyone to advise that they generate key pairs locally (using something like PuttyGen for instance) and upload the public key only? I believe that this is VERY important.
     
    #82 Tam, Feb 23, 2013
    Last edited: Feb 23, 2013
  3. kitchin

    kitchin Member

    Joined:
    Sep 18, 2011
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    The defining feature seems to be SSH using shared memory. NetworkPanda at WHT suggests running this shell command to look for processes doing that: www.webhostingtalk.com/showpost.php?p=8571571&postcount=1316

    (In case the link is lost, it filters "ps aux" through the entries in "ipcs -mp", hence:
    Code:
    for i in `ipcs -mp | grep -v cpid | awk {'print $3'} | uniq`; do ps aux | grep $i | grep -v grep;done
    but go over to WHT to read NetworkPanda's full explanation first.)
     
    #83 kitchin, Feb 23, 2013
    Last edited: Feb 23, 2013
  4. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    287
    Likes Received:
    2
    Trophy Points:
    168
    Just curious, what is the conclusion on how these hacks are occurring? is this the result of a vulnerability or a stolen password/key?
     
  5. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    111
    Likes Received:
    3
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Im going to install a new clean cpanel instalation on a new server now.

    With this new instalation we have the same problem or i can ignore it?

    Thanks.
     
  6. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    416
    Likes Received:
    2
    Trophy Points:
    318
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    Let us know how you make out. I was planning on getting new server anyway, but without knowing how they acquired access, I don't want to go through the trouble of moving all to a new server only to find it follows me.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. patchwork

    patchwork Well-Known Member

    Joined:
    Nov 2, 2001
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    316
    Here is an email copied from another forum, for some reason I did not get this email myself even though I had 2 servers hacked.

     
  8. waddy

    waddy Member

    Joined:
    Aug 26, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    51
    We got hacked by this, rebuilt the server and changed ssh port. We still get heaps of hits on the old port. The Ip's are below if you want to block them at firewall for extra protection.

    212.58.0.195
    50.7.221.34
    178.33.232.117
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice