# Ebury Root Kit



## Enterprisevpssolutions (Mar 15, 2014)

Just wanted to make a post as I didn't see anything yet for this in the forum.

 

Any and all hosts are recommend to check the shared servers as well as warn all clients about the root kit.

 

Ebury uses shared memory segments (SHMs) for interprocess communication.

A list of currently existing SHMs can be obtained by running 'ipcs -m'

as root. If the output shows one or more large segments (at least 3 MB)

with full permissions (666), the system is most likely infected with

Ebury.

 

------ Shared Memory Segments --------

key shmid owner perms bytes nattch

0x000006e0 32763 user 666 3018428 0

0x00000469 65538 root 666 4313584 0

0x0000047a 131072 smmsp 666 3966496 0

 

clean systems would give a better response

 

------ Shared Memory Segments --------

key shmid owner perms bytes nattch status 

0x6c6c6536 0 root 600 4096 0 

0x0052e2c1 425985 postgres 600 37879808 4 

 

Again please warn all clients that have vps or dedicated servers and check your shared linux servers for the root kit.

 

Only fix at this time is to create backups of the client data and reload the system.

 

More information can be found here https://www.cert-bund.de/ebury-faq

 

If someone has another fix please post it so we can test it.

 

They are now doing it with 'signed' rpms these days so watch out.

 

Be very careful about logging into other servers from a compromised box, thats one way how it spreads


----------



## Deleted (Mar 15, 2014)

This isn't new. 

There are more versions floating around that avoid detection by not sending udp traffic over port 53 if IF_PROMISC is active. I've counted at least 9 versions, all of them behave differently.

The more important issue is 'how' it's getting installed.


----------



## wlanboy (Mar 19, 2014)

Well it is altering ssh, so you can check it quite easy:


ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "Nothing found" || echo "Found ebury!"

If you are interested into this topic read this study.


----------



## hostinghouston (Mar 25, 2014)

We have been dealing with this issue for quite some time. Previous comments are right, it is nothing new for sure, but it seems to becoming more widespread.


----------

