View previous topic :: View next topic |
Author |
Message |
sirlark Guru
Joined: 25 Oct 2004 Posts: 306 Location: Limerick, Ireland
|
Posted: Mon Feb 24, 2014 8:39 am Post subject: Howto determine if your system is infected by linux/ebury |
|
|
I've just read through An In-Depth Analysis of Linux/Ebury, and checked my system for infection. The article list four ways to determine infection, but they are not all applicable to Gentoo
- "$ ssh -G" prints a usage message
- shared memory blocks are allocated by user root, process sshd, with permission 666 (or 777)
- network traffic being generated on ssh logins into your system
- specific SHA1 hashes for known infected /lib64/libkeyutils.so
In gentoo, only points 2 and 3 apply. Many distros apparently generate a usage message in this case. On gentoo, -G is in fact a valid option. The hashes aren't helpful to gentoo users, because there are so many things that influence the compilation of a package (CFLAGS, USE etc) that hashes will always be different, even if the library file might be infected. The dead sure ways to check are 2 and 3.
First, as root, run
and look for any line owned by root, with permissions 666 or more open that are larger than 3M. These blocks needn't belong to sshd, which can be checked as follows.
- Note the shmid(s) of the suspicious block(s)
- Run "$ ipcs -m -p" and find the matching shmid(s), note the pids of the processes
- For each pid from a suspicious block, run "$ ps aux | grep <PID>" to see which process it belongs to.
If there are suspicious blocks, you are infected. You should replace sys-apps/keyutils at a minimum, but ideally reinstall your entire system. But, before you do, note that any system you have ssh'd into could have been infected too. This includes systems using private keys password protected or not.
Finally, to make 100% sure, install net-analyzer/tcpdump, and run
Code: | $ tcpdump -i <your internet interface name> |
In another terminal ssh into your own system and look for packets being sent at the same time as the ssh logins, specifically when the passwords are entered.
Hope this helps _________________ Adopt an unanswered post today
Last edited by sirlark on Tue Feb 25, 2014 1:14 pm; edited 2 times in total |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Mon Feb 24, 2014 5:11 pm Post subject: Re: Gentoo and the linux/ebury trojan? |
|
|
sirlark wrote: | "$ ssh -G" prints a usage message |
So does mine (openssh 6.5p1, not on Gentoo), and I don't even have a *keyut* library file installed - the article is scaremongering, I reckon. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Mon Feb 24, 2014 5:29 pm Post subject: |
|
|
Marc-Etienne M.Léveillé wrote: | The command ssh -G has a different behaviour on a system with Linux/Ebury. A clean server will print
ssh: illegal option -- G
to stderr but an infected server will only print the typical “usage” message. |
"an infected server."
A clean system will also print a usage message in any case:
Code: | $ ssh -G
unknown option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport] [-Q protocol_feature]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command] |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
sirlark Guru
Joined: 25 Oct 2004 Posts: 306 Location: Limerick, Ireland
|
Posted: Tue Feb 25, 2014 7:23 am Post subject: |
|
|
@FitzCarraldo: Thanks. I don't get illegal option though. I get the following
Code: | $ ssh -G
option requires an argument -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-G engineconfigfile]
[-L [bind_address:]port:host:hostport] [-Q protocol_feature]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
|
@PaulBredbury: Yup, probably fear mongering, but I found it very difficult to get any reliable info on this.
I think maybe a GLSA message or similar stating how to test for infection on gentoo would go a long way to clearing up the confusion. The hashes can't be used because everything is compiled on system with different USE flags. Clearly the usage message test (which was the only infection indicator on my system) isn't reliable on Gentoo (or other distros in some cases). It's also probably the weakest indicator, as it could be easily circumvented. The network sniffing and shared memory allocations are probably the most reliable, but installing snort and getting it to work is more effort than most will go to I'm guessing.
Should I file a bug, or maybe contact the glsa team directly. _________________ Adopt an unanswered post today |
|
Back to top |
|
|
Gusar Advocate
Joined: 09 Apr 2005 Posts: 2665 Location: Slovenia
|
Posted: Tue Feb 25, 2014 12:21 pm Post subject: |
|
|
If you want to know whether you're infected, look at the shared memory segments, in particular check for a large segment (over 3MB) owned by root and with 666 permissions. Note the permissions, that's the giveaway. It's not necessary that the process which created the segment will point to sshd, on our CentOS6 machine that got infected, the listed PID didn't belong to any running process. We then used tcpdump to observe what's going on, and found out that every time someone connected via ssh, a specially crafted DNS packet was being sent that contained username, password and ssh port. Reinstalling libkeyutils and openssh didn't help. What did was ditching openssh in favor of dropbear. |
|
Back to top |
|
|
sirlark Guru
Joined: 25 Oct 2004 Posts: 306 Location: Limerick, Ireland
|
Posted: Tue Feb 25, 2014 12:53 pm Post subject: |
|
|
Thanks, I'm going to rename this thread to something more useful, and easy to search for so others can get the information. I'll cut 'n paste your comments into the top of the thread too. _________________ Adopt an unanswered post today |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|