Tuesday, March 11, 2014

Ebury SSH Rookit/Backdoor Trojan

About 3 days ago, an Ubuntu user (aka Empire-Phoenix) shouted for help at Ubuntu Forums - Security Discussions that his server has been infected by Ebury SSH Rookit/Backdoor Trojan. In his case, his mail server IP address has been blacklisted due to the infection. His story is here.

CERT Bund has announced the details about this rootkit/backdoor and they also include the Snort rule for the detection. The link is here.

The only solution is to re-install the server(s).

However, the main question is how the intruder(s) compromise our server(s) and install the rootkit? Our server(s) is/are compromised via SSH or other vulnerabilities in the server(s)?

Even if we re-install our server(s) after the infection but leave the unknown factor(s) behind, our server(s) will be infected again. If we installed IDS, we will be notified about the infection but we also need to re-install the server(s) that in question.

I supposed that the server of the captioned Ubuntu user is up-to-date and he had nothing to do with this infection as his server is a production server and he also do not know what is the problem on his server before the infection. The defensive solution is to do penetration test on the server in a regular time and it may prevent this from happening.

Update

More news here.

That's all! See you.