You are not logged in.

Pages: 1

#1 2015-03-29 14:30:42

archant
Member
Registered: 2014-01-16
Posts: 6

Infected by ebury?

Hi everybody,

Today, I ran an 

chkrootkit

and he found : "Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd"
I ran 

ssh -G

with nothing like illegal option!

Here is my 

ipcs -m

------ Segment de mémoire partagée --------
clef       shmid      propriétaire perms      octets     nattch     états      
0x51204e43 196608     pierre     600        1024       1                       
0x00000000 38273025   pierre     600        393216     2          dest         
0x00000000 38371330   pierre     600        524288     2          dest         
0x00000000 29982723   pierre     600        524288     2          dest         
0x00000000 393220     pierre     600        2097152    2          dest         
0x00000000 491525     pierre     600        393216     2          dest         
0x00000000 38404102   pierre     600        393216     2          dest         
0x00000000 26738695   pierre     700        1816932    2          dest         
0x00000000 22347784   pierre     600        524288     2          dest         
0x00000000 22544393   pierre     600        524288     2          dest         
0x00000000 30015498   pierre     600        4194304    2          dest         
0x00000000 22446091   pierre     600        67108864   2          dest         
0x00000000 38502412   pierre     600        524288     2          dest         
0x00000000 38535181   pierre     600        393216     2          dest         
0x00000000 23986190   pierre     600        4194304    2          dest         
0x00000000 38862863   root       600        33554432   2          dest         
0x00000000 31490064   pierre     600        524288     2          dest         
0x00000000 24379409   pierre     600        1411100    2          dest         
0x00000000 26771474   pierre     600        393216     2          dest         
0x00000000 26804243   pierre     700        3606416    2          dest         
0x00000000 26837012   pierre     600        524288     2          dest         
0x00000000 31522837   pierre     600        4194304    2          dest         
0x00000000 38764567   root       600        393216     2          dest         
0x00000000 38830104   pierre     600        2097152    2          dest

and my 

ipcs -m -p

------ Mémoire partagée créateur/ PID de dernière opération --------
shmid      propriétaire cpid       lpid      
196608     pierre     5112       5521      
38273025   pierre     12482      12555     
38371330   pierre     12482      12555     
29982723   pierre     9508       9529      
393220     pierre     4783       12697     
491525     pierre     5396       11648     
38404102   pierre     12704      301       
26738695   pierre     5112       301       
22347784   pierre     5980       301       
22544393   pierre     5989       301       
30015498   pierre     9508       9529      
22446091   pierre     5980       301       
38502412   pierre     12704      301       
38535181   pierre     12704      301       
23986190   pierre     7436       14128     
38862863   root       12717      301       
31490064   pierre     10571      11932     
24379409   pierre     7627       301       
26771474   pierre     5112       301       
26804243   pierre     5112       301       
26837012   pierre     5112       301       
31522837   pierre     10571      11932     
38764567   root       12717      12939     
38830104   pierre     5396       301

Am I really infected?

Sincerely
AH

Offline

#2 2015-03-29 15:01:30

satanselbow
Member
Registered: 2011-06-15
Posts: 538

Re: Infected by ebury?

http://www.welivesecurity.com/2014/04/1 … y-updated/

Offline

#3 2015-03-29 15:24:57

archant
Member
Registered: 2014-01-16
Posts: 6

Re: Infected by ebury?

Thanks (i read this article) but it doesn't really help me to know. Indeed, ssh -G shows nothing but my hash is different: 11da5613f69ecccf5e98e6069b436a94  /usr/lib32/libkeyutils.so and ea9fe89cc3351e132371e10d62286d39  /usr/lib/libkeyutils.so and the PID in ipcs don't match with sshd

Offline

#4 2015-03-29 15:27:18

archant
Member
Registered: 2014-01-16
Posts: 6

Re: Infected by ebury?

Is Archlinux concerns by this: "One case of a false positive that was brought to our attention was that this technique is ineffective if the Linux distribution used on the system had applied the patches for X.509 certificate support in OpenSSH. Gentoo with the X509 USE flag is one such distribution. Use the shared memory inspection technique described below in that case."?

Offline

#5 2015-03-29 20:29:10

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,412
Website

Re: Infected by ebury?

FWIW, I get no "illegal option" on ssh -G either (on a virtualbox guest with no outward facing services)

Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#6 2015-03-29 21:57:35

crondog
Member
Registered: 2011-04-21
Posts: 130

Re: Infected by ebury?

So the openssh devs made this commit https://github.com/openssh/openssh-port … 3b9cc84cba which adds a -G option which just prints out the configuration. Kinda strange to add that switch after Windigo... I think as long as if you run the ipcs commands and nothing is for sshd then you should be ok...

Offline

#7 2015-03-30 22:23:04

Buddlespit
Member
From: Chesapeake, Va.
Registered: 2014-02-07
Posts: 501

Re: Infected by ebury?

ok... after having a minor stroke after running the ssh -G command, I believe my system is fine after reading what  crondog posted... You people are gonna send me to an early grave....

Hw-Probe

Offline

Pages: 1

Board footer

Powered by FluxBB