Just wanted to make a post as I didn't see anything yet for this in the forum.
Any and all hosts are recommend to check the shared servers as well as warn all clients about the root kit.
Ebury uses shared memory segments (SHMs) for interprocess communication.
A list of currently existing SHMs can be obtained by running 'ipcs -m'
as root. If the output shows one or more large segments (at least 3 MB)
with full permissions (666), the system is most likely infected with
Ebury.
------ Shared Memory Segments --------
key shmid owner perms bytes nattch
0x000006e0 32763 user 666 3018428 0
0x00000469 65538 root 666 4313584 0
0x0000047a 131072 smmsp 666 3966496 0
clean systems would give a better response
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x6c6c6536 0 root 600 4096 0
0x0052e2c1 425985 postgres 600 37879808 4
Again please warn all clients that have vps or dedicated servers and check your shared linux servers for the root kit.
Only fix at this time is to create backups of the client data and reload the system.
More information can be found here https://www.cert-bund.de/ebury-faq
If someone has another fix please post it so we can test it.
They are now doing it with 'signed' rpms these days so watch out.
Be very careful about logging into other servers from a compromised box, thats one way how it spreads
Any and all hosts are recommend to check the shared servers as well as warn all clients about the root kit.
Ebury uses shared memory segments (SHMs) for interprocess communication.
A list of currently existing SHMs can be obtained by running 'ipcs -m'
as root. If the output shows one or more large segments (at least 3 MB)
with full permissions (666), the system is most likely infected with
Ebury.
------ Shared Memory Segments --------
key shmid owner perms bytes nattch
0x000006e0 32763 user 666 3018428 0
0x00000469 65538 root 666 4313584 0
0x0000047a 131072 smmsp 666 3966496 0
clean systems would give a better response
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x6c6c6536 0 root 600 4096 0
0x0052e2c1 425985 postgres 600 37879808 4
Again please warn all clients that have vps or dedicated servers and check your shared linux servers for the root kit.
Only fix at this time is to create backups of the client data and reload the system.
More information can be found here https://www.cert-bund.de/ebury-faq
If someone has another fix please post it so we can test it.
They are now doing it with 'signed' rpms these days so watch out.
Be very careful about logging into other servers from a compromised box, thats one way how it spreads
