Originally Posted by
Empire-Phoenix
Code:
XXX@YYY:~$ sudo ipcs -m
- Each segment has write bit set for all. - Each segment is roughly 3 megs in size.
Originally Posted by
Empire-Phoenix
any further suggestion what to do or how to determine if it is infected?
Please show output of these commands:
Code:
stat /lib/x86_64-linux-gnu/libkeyutils.so.1; debsums openssh-server; debsums openssh-client; debsums [whatever package contains /lib/x86_64-linux-gnu/libkeyutils.so.1]; ssh -G 2>&1
*This may work if you have Rootkut Hunter 1.4.2 though false positives may occur:
Code:
clamscan -d /var/lib/rkhunter/signatures -r /lib /usr/sbin
Originally Posted by
Empire-Phoenix
Is there some other way to force reinstall every binary from the repositorys?
We've only started to determine if the server was subverted so please don't get ahead of things. If it is then realize 0) Ebury is used to sniff credentials and 1) it requires root privileges to replace root-owned files. And apart from what misguided web log and forum posts tell you about "cleaning up" a root compromise basically means Game Over.
Bookmarks