Author Topic: Ebury trojan on all of my CWP servers  (Read 8983 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #30 on: May 18, 2024, 11:48:12 AM »
uf..great...

was that ever addresed by CWP team, or?

Offline
*
Re: Ebury trojan on all of my CWP servers
« Reply #31 on: May 28, 2024, 08:09:53 PM »
uf..great...

was that ever addresed by CWP team, or?

This most likely won't be something addressed by CWP, at least, the removal of trojan itself.  I do hope CWP team has identified and fixed the exploit which allowed this trojan to be installed.  Most likely Ebury was injected into CWP hosts via a CWP vulnerability over the years.  Come to find out my system has Ebury installed, and most likely has been like that for years undetected.

Malicious DLLs were found in the following locations,

  • /usr/lib64/libkeyutils.so.1.5
  • /usr/lib64/libkeystats.so


With a (duplicated) running process of,

  • /usr/lib/systemd/systemd-udevd


With an open UNIX socket at,

  • UDEV-4kAmkRW3