全球主机交流论坛

标题: 大神们，怎么清理Ebury Rootkit木马？Hostigation说我中标了！ [打印本页]

作者: asmon 时间: 2014-3-20 12:14
标题: 大神们，怎么清理Ebury Rootkit木马？Hostigation说我中标了！
Hostigation received third party information that your VPS may be compromised with the Ebury Trojan. The Ebury trojan steals SSH login credentials from incoming and outgoing SSH connections and forwards them to a dropzone server in specially crafted DNS packets. The trojan is normally found in a binary directory on Unix-based systems in one of the following locations:

/usr/bin/ssh
/usr/bin/sshd
/usr/bin/ssh-add

According to the data we received, your VPS was sending harvested SSH credentials to a dropzone server. They only guaranteed way to remove this trojan is to reinstall your VPS. If your VPS is OpenVZ, we can provide you with a small amount of backup space so you may retrieve critical files once your VPS is reinstalled. Due to the nature of this trojan, any infected KVM VPS will have to be reinstalled completely from scratch.

作者: Ruclinux 时间: 2014-3-20 12:17
rkhunter 这个行不行？

作者: asmon 时间: 2014-3-20 12:18
本帖最后由 asmon 于 2014-4-2 23:51 编辑

ipcs -m

查出3个不明东西！狗日！都超过3MB了！

作者: asmon 时间: 2014-3-20 12:21
用OpenVZ，都查一下吧：ipcs -m

作者: cgs3238 时间: 2014-3-20 12:26
ipcs -m 是查共享内存的不是查进程的

作者: asmon 时间: 2014-3-20 13:14

cgs3238 发表于 2014-3-20 12:26
ipcs -m 是查共享内存的不是查进程的

有没有处理办法？

作者: yohu 时间: 2014-3-20 14:00
听说超过3M和666权限的概率高一些。

作者: yohu 时间: 2014-3-20 14:05
网上看到的解决办法，最好重装系统，不重装系统的话就重装libkeyutils。

Re-install libkeyutils (using rpm --replacepkg option) and reboot the server.
Change the password of all SSH user account.

复制代码

作者: dzbz 时间: 2014-3-20 20:52

作者: bolatu 时间: 2014-3-20 21:49

作者: flyfish 时间: 2014-3-20 21:53
看了一下，没中招

欢迎光临全球主机交流论坛 (https://fd.vvwvv.eu.org/)