Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Howto determine if your system is infected by linux/ebury
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 306
Location: Limerick, Ireland
PostPosted: Mon Feb 24, 2014 8:39 am    Post subject: Howto determine if your system is infected by linux/ebury Reply with quote
I've just read through An In-Depth Analysis of Linux/Ebury, and checked my system for infection. The article list four ways to determine infection, but they are not all applicable to Gentoo


  1. "$ ssh -G" prints a usage message
  2. shared memory blocks are allocated by user root, process sshd, with permission 666 (or 777)
  3. network traffic being generated on ssh logins into your system
  4. specific SHA1 hashes for known infected /lib64/libkeyutils.so


In gentoo, only points 2 and 3 apply. Many distros apparently generate a usage message in this case. On gentoo, -G is in fact a valid option. The hashes aren't helpful to gentoo users, because there are so many things that influence the compilation of a package (CFLAGS, USE etc) that hashes will always be different, even if the library file might be infected. The dead sure ways to check are 2 and 3.

First, as root, run

Code:
$ ipcs -m --human


and look for any line owned by root, with permissions 666 or more open that are larger than 3M. These blocks needn't belong to sshd, which can be checked as follows.


  1. Note the shmid(s) of the suspicious block(s)
  2. Run "$ ipcs -m -p" and find the matching shmid(s), note the pids of the processes
  3. For each pid from a suspicious block, run "$ ps aux | grep <PID>" to see which process it belongs to.


If there are suspicious blocks, you are infected. You should replace sys-apps/keyutils at a minimum, but ideally reinstall your entire system. But, before you do, note that any system you have ssh'd into could have been infected too. This includes systems using private keys password protected or not.

Finally, to make 100% sure, install net-analyzer/tcpdump, and run

Code:
$ tcpdump -i <your internet interface name>


In another terminal ssh into your own system and look for packets being sent at the same time as the ssh logins, specifically when the passwords are entered.

Hope this helps
_________________
Adopt an unanswered post today

Last edited by sirlark on Tue Feb 25, 2014 1:14 pm; edited 2 times in total
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310
PostPosted: Mon Feb 24, 2014 5:11 pm    Post subject: Re: Gentoo and the linux/ebury trojan? Reply with quote
sirlark wrote:
"$ ssh -G" prints a usage message

So does mine (openssh 6.5p1, not on Gentoo), and I don't even have a *keyut* library file installed - the article is scaremongering, I reckon.
Back to top
View user's profile Send private message
Fitzcarraldo
Advocate
Advocate


Joined: 30 Aug 2008
Posts: 2034
Location: United Kingdom
PostPosted: Mon Feb 24, 2014 5:29 pm    Post subject: Reply with quote
Marc-Etienne M.Léveillé wrote:
The command ssh -G has a different behaviour on a system with Linux/Ebury. A clean server will print

ssh: illegal option -- G

to stderr but an infected server will only print the typical “usage” message.

"an infected server."

A clean system will also print a usage message in any case:

Code:
$ ssh -G
unknown option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-Q protocol_feature]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]

_________________
Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog
Back to top
View user's profile Send private message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 306
Location: Limerick, Ireland
PostPosted: Tue Feb 25, 2014 7:23 am    Post subject: Reply with quote
@FitzCarraldo: Thanks. I don't get illegal option though. I get the following

Code:
$ ssh -G
option requires an argument -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-G engineconfigfile]
           [-L [bind_address:]port:host:hostport] [-Q protocol_feature]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]


@PaulBredbury: Yup, probably fear mongering, but I found it very difficult to get any reliable info on this.

I think maybe a GLSA message or similar stating how to test for infection on gentoo would go a long way to clearing up the confusion. The hashes can't be used because everything is compiled on system with different USE flags. Clearly the usage message test (which was the only infection indicator on my system) isn't reliable on Gentoo (or other distros in some cases). It's also probably the weakest indicator, as it could be easily circumvented. The network sniffing and shared memory allocations are probably the most reliable, but installing snort and getting it to work is more effort than most will go to I'm guessing.

Should I file a bug, or maybe contact the glsa team directly.
_________________
Adopt an unanswered post today
Back to top
View user's profile Send private message
Gusar
Advocate
Advocate


Joined: 09 Apr 2005
Posts: 2665
Location: Slovenia
PostPosted: Tue Feb 25, 2014 12:21 pm    Post subject: Reply with quote
If you want to know whether you're infected, look at the shared memory segments, in particular check for a large segment (over 3MB) owned by root and with 666 permissions. Note the permissions, that's the giveaway. It's not necessary that the process which created the segment will point to sshd, on our CentOS6 machine that got infected, the listed PID didn't belong to any running process. We then used tcpdump to observe what's going on, and found out that every time someone connected via ssh, a specially crafted DNS packet was being sent that contained username, password and ssh port. Reinstalling libkeyutils and openssh didn't help. What did was ditching openssh in favor of dropbear.
Back to top
View user's profile Send private message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 306
Location: Limerick, Ireland
PostPosted: Tue Feb 25, 2014 12:53 pm    Post subject: Reply with quote
Thanks, I'm going to rename this thread to something more useful, and easy to search for so others can get the information. I'll cut 'n paste your comments into the top of the thread too.
_________________
Adopt an unanswered post today
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy