Results 1 to 9 of 9

Thread: Does SSHD attach to shared Memory?

Threaded View

  1. #1
    Join Date
    Jan 2012
    Beans
    18

    Does SSHD attach to shared Memory?

    Well now this is a little complicated I guess,

    Short question before the text wall:

    "ipcs -mp" returns
    ------ Shared Memory Creator/Last-op PIDs --------
    shmid owner cpid lpid
    0 syslog 2492 25996
    32769 gnats 2492 25996
    65538 114 2492 25996
    Now 25996 is a ssh session, is sshd attaching to shared memory normally? this kinda makes me curious.

    Doing a full grep 25996 /proc/*/maps does not result in anything at all, so no more infos available

    -------------------------------

    Now for the long version:
    I'm blacklisted at CBL because of a ebury trojan, since a few hours ago I never was before.

    IP Address XXX.XXX.XXX.X is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
    It was last detected at 2014-03-06 19:00 GMT (+/- 30 minutes), approximately 17 hours ago.
    The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.
    Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries or a shared library used by SSH.
    Ebury infected hosts are used for criminal activities, such as sending out spam emails or hosting exploit kits.
    My mailserver is a vm, a few ports like 25 are forwared via iptables
    Do I assume right, that if the physical machine is clean, a netstat-nat should see all kind of strange traffic from any infected VM?

    How comes that they have not the offending mail? All other blacklist I know can show you the mail that caused the blacklisting, or are there other reasons for the blacklisting possible?

    Other stuff done on the physical server:
    running rkhunter chkrootkit reveals no infections.
    testing the filesize with "find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;" return "-rw-r--r-- 1 root root 14360 Oct 17 2011 /lib/x86_64-linux-gnu/libkeyutils.so.1.4" so below 15kb wich should be clean.
    Last edited by Empire-Phoenix; March 7th, 2014 at 01:15 PM. Reason: ebury sshd sharedmemory rootkit infection

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •