Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto determine if your system is infected by linux/ebury
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 305
Location: Cape Town, South Africa

PostPosted: Mon Feb 24, 2014 8:39 am    Post subject: Howto determine if your system is infected by linux/ebury Reply with quote

I've just read through An In-Depth Analysis of Linux/Ebury, and checked my system for infection. The article list four ways to determine infection, but they are not all applicable to Gentoo


  1. "$ ssh -G" prints a usage message
  2. shared memory blocks are allocated by user root, process sshd, with permission 666 (or 777)
  3. network traffic being generated on ssh logins into your system
  4. specific SHA1 hashes for known infected /lib64/libkeyutils.so


In gentoo, only points 2 and 3 apply. Many distros apparently generate a usage message in this case. On gentoo, -G is in fact a valid option. The hashes aren't helpful to gentoo users, because there are so many things that influence the compilation of a package (CFLAGS, USE etc) that hashes will always be different, even if the library file might be infected. The dead sure ways to check are 2 and 3.

First, as root, run

Code:
$ ipcs -m --human


and look for any line owned by root, with permissions 666 or more open that are larger than 3M. These blocks needn't belong to sshd, which can be checked as follows.


  1. Note the shmid(s) of the suspicious block(s)
  2. Run "$ ipcs -m -p" and find the matching shmid(s), note the pids of the processes
  3. For each pid from a suspicious block, run "$ ps aux | grep <PID>" to see which process it belongs to.


If there are suspicious blocks, you are infected. You should replace sys-apps/keyutils at a minimum, but ideally reinstall your entire system. But, before you do, note that any system you have ssh'd into could have been infected too. This includes systems using private keys password protected or not.

Finally, to make 100% sure, install net-analyzer/tcpdump, and run

Code:
$ tcpdump -i <your internet interface name>


In another terminal ssh into your own system and look for packets being sent at the same time as the ssh logins, specifically when the passwords are entered.

Hope this helps
_________________
Adopt an unanswered post today


Last edited by sirlark on Tue Feb 25, 2014 1:14 pm; edited 2 times in total
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Mon Feb 24, 2014 5:11 pm    Post subject: Re: Gentoo and the linux/ebury trojan? Reply with quote

sirlark wrote:
"$ ssh -G" prints a usage message

So does mine (openssh 6.5p1, not on Gentoo), and I don't even have a *keyut* library file installed - the article is scaremongering, I reckon.
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1774
Location: United Kingdom

PostPosted: Mon Feb 24, 2014 5:29 pm    Post subject: Reply with quote

Marc-Etienne M.Léveillé wrote:
The command ssh -G has a different behaviour on a system with Linux/Ebury. A clean server will print

ssh: illegal option -- G

to stderr but an infected server will only print the typical “usage” message.

"an infected server."

A clean system will also print a usage message in any case:

Code:
$ ssh -G
unknown option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-Q protocol_feature]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]

_________________
Clevo W230SS: amd64 nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC eudev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 305
Location: Cape Town, South Africa

PostPosted: Tue Feb 25, 2014 7:23 am    Post subject: Reply with quote

@FitzCarraldo: Thanks. I don't get illegal option though. I get the following

Code:
$ ssh -G
option requires an argument -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-G engineconfigfile]
           [-L [bind_address:]port:host:hostport] [-Q protocol_feature]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]


@PaulBredbury: Yup, probably fear mongering, but I found it very difficult to get any reliable info on this.

I think maybe a GLSA message or similar stating how to test for infection on gentoo would go a long way to clearing up the confusion. The hashes can't be used because everything is compiled on system with different USE flags. Clearly the usage message test (which was the only infection indicator on my system) isn't reliable on Gentoo (or other distros in some cases). It's also probably the weakest indicator, as it could be easily circumvented. The network sniffing and shared memory allocations are probably the most reliable, but installing snort and getting it to work is more effort than most will go to I'm guessing.

Should I file a bug, or maybe contact the glsa team directly.
_________________
Adopt an unanswered post today
Back to top
View user's profile Send private message
Gusar
Advocate
Advocate


Joined: 09 Apr 2005
Posts: 2665
Location: Slovenia

PostPosted: Tue Feb 25, 2014 12:21 pm    Post subject: Reply with quote

If you want to know whether you're infected, look at the shared memory segments, in particular check for a large segment (over 3MB) owned by root and with 666 permissions. Note the permissions, that's the giveaway. It's not necessary that the process which created the segment will point to sshd, on our CentOS6 machine that got infected, the listed PID didn't belong to any running process. We then used tcpdump to observe what's going on, and found out that every time someone connected via ssh, a specially crafted DNS packet was being sent that contained username, password and ssh port. Reinstalling libkeyutils and openssh didn't help. What did was ditching openssh in favor of dropbear.
Back to top
View user's profile Send private message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 305
Location: Cape Town, South Africa

PostPosted: Tue Feb 25, 2014 12:53 pm    Post subject: Reply with quote

Thanks, I'm going to rename this thread to something more useful, and easy to search for so others can get the information. I'll cut 'n paste your comments into the top of the thread too.
_________________
Adopt an unanswered post today
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum