Author Topic: Ebury trojan on all of my CWP servers  (Read 8984 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Ebury trojan on all of my CWP servers
« on: March 22, 2023, 06:09:11 PM »
Hello,

Today I was informed by our national domain registry that couple of my ip addresses are doing some malicious activities. Also they suspected that it is "Ebury Linux SSH rootkit/backdoor trojan".

And really after malware scan of all my servers (5 servers), everyone was having this trojan. Any hint on how can those trojans get in to the system, and how to prevent future problems?

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #1 on: March 22, 2023, 08:15:16 PM »
Yep got a notification to that this was the case. Would love to know whats going on here.

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #2 on: March 22, 2023, 08:30:09 PM »
What are you using for your malware scan? We got the same notice but our scans are coming up clean.

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #3 on: March 23, 2023, 08:24:59 AM »
I found trojan on all servers. I went to Security/Security Center/Malware Scan and then selected Custom scan from / (root) folder. It took a while but Trojan was found. Other things was also found in emails but it's normal :) Unix.Dropper.Ebury-9906999-0
 was found in usr/lib64/libkeystats.so. I have no idea how it got there. All of my server have different password generated at random.org (for example dr3Zd^VQnyy2q^w3). SSH port is not default.

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #4 on: March 23, 2023, 11:39:24 AM »
My server admin said they saw rumblings about other CWP servers having this issue starting on March 17th -20th. Maybe the March 20th update was a patch?

Im running the scans now, will probably take a while. What OS were you running on the infected machines? One of mine was Centos 8 and the other was AlmaLinux 8.5. Also were you on a fully updated CWP?

Are you planning on re-building from scratch? From what I read thats the only definite solution.
« Last Edit: March 23, 2023, 12:21:12 PM by Rob P »

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #5 on: March 23, 2023, 02:29:49 PM »
The same thing happened to me. 2 servers with CentOS 7 and CWP 7 were infected. I did a quick analysis and it turned out that the infection happened more than 11 months ago for sure. Another thing I found out is that the server was not infected 3 years ago. I learned this from the backups I have for these 2 servers. So, the infection did not happen on March 17-20... Keep this in mind.

Offline
***
Re: Ebury trojan on all of my CWP servers
« Reply #6 on: March 23, 2023, 05:52:48 PM »
just did a complete scan. Took 108 minutes scanning almost half a million files. I dont have it

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #7 on: March 23, 2023, 06:34:42 PM »
Ok, I'am infected too...
I am scaning now with clam, will clam clean it?

Thx!

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #8 on: March 23, 2023, 07:01:35 PM »
Once the system is compromised, it is unknown which backdoors are open.

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #9 on: March 23, 2023, 07:03:04 PM »
so only way to get rid it is clean os install?

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #10 on: March 23, 2023, 07:38:37 PM »
Maybe. The first thing you can do is change the SSH port and restrict access to SSH login for all users on the system to trusted IP addresses. Change the passwords for absolutely all users. This does not solve the problem since CWP is compromised and requests can be executed as root from there, but somehow it ensures that the server is not used for botnets - DDoS, email spam, etc. As I said, the infection through CWP was long ago. Personally, I think one of my servers was infected minutes before 03.09.2021, 03:46:34, because the logs before that are missing, and it has been online since 2020. I also restored backups and the infection existed 2-3 years ago. Even if the server is cleaned, as long as the vulnerability in CWP exists, it is still under threat. Personally, I will wait for the CWP bug to be fixed and then reinstall the server with the new CWP panel.

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #11 on: March 23, 2023, 08:02:24 PM »
By the way, which hosting provider do you use? My servers are with hetzner.com.

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #12 on: March 23, 2023, 08:02:58 PM »
By the way, which hosting provider do you use? My servers are with hetzner.com.

Hetzner as well!

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #13 on: March 23, 2023, 08:16:57 PM »
Maybe. The first thing you can do is change the SSH port and restrict access to SSH login for all users on the system to trusted IP addresses. Change the passwords for absolutely all users. This does not solve the problem since CWP is compromised and requests can be executed as root from there, but somehow it ensures that the server is not used for botnets - DDoS, email spam, etc. As I said, the infection through CWP was long ago. Personally, I think one of my servers was infected minutes before 03.09.2021, 03:46:34, because the logs before that are missing, and it has been online since 2020. I also restored backups and the infection existed 2-3 years ago. Even if the server is cleaned, as long as the vulnerability in CWP exists, it is still under threat. Personally, I will wait for the CWP bug to be fixed and then reinstall the server with the new CWP panel.
thank you
but, can you please tell me which way I can be 100% sure that malware exists?
I'm asking this because many tess found on internet shows that my system is not infected.
Your test only shows that it is. And if I run it on other server (which is not connected to my original in any way), there too it shows positive

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #14 on: March 23, 2023, 08:25:20 PM »
thank you
but, can you please tell me which way I can be 100% sure that malware exists?
I'm asking this because many tess found on internet shows that my system is not infected.
Your test only shows that it is. And if I run it on other server (which is not connected to my original in any way), there too it shows positive

Check if you have /usr/lib64/libkeystats.so file in your system. If you do you're infected. I would say it's safe to bet that the majority of CWP users are infected and don't know it.

As top20 said most likely the vulnerability with CWP is still open so cleaning out the server, re-installing the OS and then putting back CWP will probably just end up with the same issue until it's patched.