0

I have a server with cPanel installed on Centos 5.9.

Three days ago, my server provider told me I'm infected by "Ebury Trojan".

I read a lot of things saying that the openSSH server coming with cPanel may be infeted and how to detect it. Some says that the package using "Yum" may be corrupted as well.

So how to remove the ebury trojan once and for all?

How can I install a clean openSSH version on cPanel / Centos 5.9?

How to be sure my server will not be corrupted by this trojan as it sends passwords to third parties (of course I've changed the passwords)?

Marm
  • 141
  • 3
  • 6
  • I cannot restore from a backup since the trojan may have come with my cpanel installation a year ago. The solution is for sure a clean isntallation of openSSH and the steps to get rid of ebury – Marm Jul 22 '13 at 17:54
  • 2
    Just reinstalling openssh is not the proper way to deal with a compromise. There may be a whole host of other issues that may need to be addressed.. other processes set up to grant unauthorized access? Kernel modules loaded to hide processes/files? You cannot trust your system if you cannot rebuild it from scratch. –  Jul 22 '13 at 17:56
  • 1
    Nuke it from orbit, it's the only way to be sure. – user9517 Jul 22 '13 at 18:00

1 Answers1

1

Original (circa 2011) ebury was pretty lame...You could clear it by doing: yum update sshd. Pretty trivial.

If you trust your repo's (and rpm), you can do rpm -vVa and it'll show you every installed rpm where the md5 doesn't match the one stored on the server.

Problem is that the attacker can be assumed to have acquired root level access, and that means you could be screwed past the ability to diagnose it from the local machine. If you can't run a file integrity scanner off an unaffected machine, then you're never going to be sure unless you rebuild from scratch.

Satanicpuppy
  • 5,917
  • 1
  • 16
  • 18
  • If you *can* run a file integrity scanner you still have no way of determining that the tool itself was not compromised (you can mitigate this risk down to a very low level, but a proper exercise of paranoia will always lead to the same conclusion: Any compromised machine must be rebuilt from bare metal). – voretaq7 Jul 22 '13 at 20:26
  • @voretaq7: There is no point in running a local file integrity scanner. All modern ones run on another machine, so you can re-scan the compromised machine and get a comprehensive list of all changed files. I've been using Samhain, and I'm reasonably pleased with it. – Satanicpuppy Jul 23 '13 at 20:29