{"id":330,"date":"2021-07-23T12:27:55","date_gmt":"2021-07-23T12:27:55","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/determine-your-system-status\/"},"modified":"2021-07-23T12:27:55","modified_gmt":"2021-07-23T12:27:55","slug":"determine-your-system-status","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/determine-your-system-status\/","title":{"rendered":"Determine Your System Status"},"content":{"rendered":"<\/p>\n<div class=\"col-md-9\">\n<div class=\"flex-column flex-md-row article-header\"><\/div>\n<hr>\n<h2 id=\"overview\">Overview<\/h2>\n<p>cPanel\u2019s Technical Support department detected the following security issues:<\/p>\n<ul>\n<li>Compromised RPMs in the OpenSSH binaries.<\/li>\n<li>Compromised <code>libkeyutils<\/code> directories.<\/li>\n<li><code>root<\/code>-level compromises.<\/li>\n<\/ul>\n<p>In these cases, Trojan horses (Trojans) affected files that these directories and binaries contain. We <strong>strongly<\/strong> recommend that hosting providers and system administrators use this document to determine the status of their systems.<\/p>\n<div class=\"callout callout-info\">\n<div class=\"callout-heading\">Note:<\/div>\n<div class=\"callout-content\">\n        The affected OpenSSH Binaries and <code>libkeyutils<\/code> directories produce similar network traffic.\n    <\/div>\n<\/div>\n<p>If you experience any issues while you perform these checks or you suspect that someone has compromised your server, contact your hosting provider for assistance.<\/p>\n<div class=\"callout callout-info\">\n<div class=\"callout-heading\">Note:<\/div>\n<div class=\"callout-content\">\n<ul>\n<li>\n<p>To check your system for compromises unrelated to the OpenSSH Binaries and <code>libkeyutils<\/code> directories, use WHM\u2019s <em>Security Advisor<\/em> interface (<em>WHM &gt;&gt; Home &gt;&gt; Security Center &gt;&gt; Security Advisor<\/em>).<\/p>\n<\/li>\n<li>\n<p>We <strong>strongly<\/strong> recommend that you read our Tips to Make Your Server More Secure documentation.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n<h2 id=\"compromised-systems\">Compromised systems<\/h2>\n<h3 id=\"open-ssh-rpms\">Open SSH rpms<\/h3>\n<p>On CentOS and Red Hat\u00ae Enterprise Linux\u00ae systems, we determined that the following OpenSSH binaries contain the Ebury Trojan:<\/p>\n<ul>\n<li>The <code>sshd<\/code> binary.<\/li>\n<li>The <code>ssh<\/code> binary.<\/li>\n<li>The <code>ssh-keygen<\/code> binary.<\/li>\n<li>The <code>ssh-askpass<\/code> binary.<\/li>\n<\/ul>\n<p>This Trojan\u2019s code collects authentication credentials for inbound and outbound network connections, as well as the SSH keys that these binaries generate.<\/p>\n<p>Use the following checks to determine whether the Trojan compromised your system\u2019s OpenSSH binaries.<\/p>\n<h4 id=\"check-for-malicious-processes\">Check for malicious processes<\/h4>\n<p>To check for malicious processes on your server, run the following command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">netstat <span style=\"color:#f92672\">-<\/span>plan <span style=\"color:#f92672\">|<\/span> grep atd<\/code><\/pre>\n<\/div>\n<p>This command does not return output on non-compromised systems. On compromised systems, this command returns output that resembles the following example: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">unix <span style=\"color:#ae81ff\">2<\/span> [ ACC ] STREAM LISTENING <span style=\"color:#ae81ff\">103713<\/span> <span style=\"color:#ae81ff\">8119<\/span><span style=\"color:#e6db74\">\/atd @\/<\/span>tmp<span style=\"color:#f92672\">\/<\/span>dbus<span style=\"color:#f92672\">-<\/span>ZP7tFO4xsL<\/code><\/pre>\n<\/div>\n<h4 id=\"check-the-rpms-change-logs\">Check the RPMs\u2019 change logs.<\/h4>\n<p>To check an RPM version\u2019s change log, run the following command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">rpm <span style=\"color:#f92672\">-<\/span><span style=\"color:#e6db74\">q --changelog <\/span>openssh<span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">5.3<\/span>p1<span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">209<\/span><span style=\"color:#f92672\">.<\/span>el6 <span style=\"color:#f92672\">|<\/span> head <span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">10<\/span><\/code><\/pre>\n<\/div>\n<p>In this example, <code>openssh-5.3p1-209.el6<\/code> represents the OpenSSH RPM binary that you wish to check.<\/p>\n<p>Non-compromised RPMs contain a signature. A compromised RPM\u2019s change log contains no entries.<\/p>\n<h4 id=\"check-your-system-s-yum-logs\">Check your system\u2019s yum logs.<\/h4>\n<p>Open your system\u2019s <code>\/var\/log\/yum.log<\/code> file with a text editor and search for the OpenSSH binaries. The file\u2019s contents resemble the following example:<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 4\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 5\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 6\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 7\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 8\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 9\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">10\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">11\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">12\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">13\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">14\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">00<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">geronimo<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">jms<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.1.1<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">19.<\/span><span style=\"color:#a6e22e\">el7<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">00<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">xml<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">commons<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">apis<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.4.01<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">16.<\/span><span style=\"color:#a6e22e\">el7<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">00<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">xml<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">commons<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">resolver<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.2<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">15.<\/span><span style=\"color:#a6e22e\">el7<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">00<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">xalan<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">j2<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.7.1<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">23.<\/span><span style=\"color:#a6e22e\">el7<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">00<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">xerces<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">j2<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.11.0<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">17.<\/span><span style=\"color:#a6e22e\">el7_0<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">01<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">avalon<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">framework<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">4.3<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">10.<\/span><span style=\"color:#a6e22e\">el7<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">01<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">tomcat<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">el<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.2<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">api<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">7.0.69<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">11.<\/span><span style=\"color:#a6e22e\">el7_3<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">01<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">tomcat<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">lib<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">7.0.69<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">11.<\/span><span style=\"color:#a6e22e\">el7_3<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">02<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">tomcat<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">7.0.69<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">11.<\/span><span style=\"color:#a6e22e\">el7_3<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">02<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">openssh<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">6.6.1<\/span><span style=\"color:#a6e22e\">p1<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">35.<\/span><span style=\"color:#a6e22e\">el7_3<\/span>.<span style=\"color:#a6e22e\">x86_64<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">02<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">libssh2<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.4.3<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">10.<\/span><span style=\"color:#a6e22e\">el7_2<\/span><span style=\"color:#ae81ff\">.1<\/span>.<span style=\"color:#a6e22e\">x86_64<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">02<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">openssh<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">server<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">6.6.1<\/span><span style=\"color:#a6e22e\">p1<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">35.<\/span><span style=\"color:#a6e22e\">el7_3<\/span>.<span style=\"color:#a6e22e\">x86_64<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">02<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">cpanel<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">perl<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">524<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">Net<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">OpenSSH<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">0.74<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.<\/span><span style=\"color:#a6e22e\">cp1162<\/span>.<span style=\"color:#a6e22e\">noarch<\/span>\n<span style=\"color:#a6e22e\">Jun<\/span> <span style=\"color:#ae81ff\">22<\/span> <span style=\"color:#ae81ff\">10<\/span>:<span style=\"color:#ae81ff\">33<\/span>:<span style=\"color:#ae81ff\">02<\/span> <span style=\"color:#a6e22e\">Installed<\/span>: <span style=\"color:#a6e22e\">openssh<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">clients<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">6.6.1<\/span><span style=\"color:#a6e22e\">p1<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">35.<\/span><span style=\"color:#a6e22e\">el7_3<\/span>.<span style=\"color:#a6e22e\">x86_64<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>If your system\u2019s <code>\/var\/log\/yum.log<\/code> file does not contain the OpenSSH RPMs, the server may exist in a compromised state.<\/p>\n<h3 id=\"the-libkeysutils-utilities\">The libkeysutils utilities<\/h3>\n<p>To check your <code>libkeysutils<\/code> utility for the Ebury Trojan, perform the following steps:<\/p>\n<div class=\"callout callout-warning\">\n<div class=\"callout-heading\">Important:<\/div>\n<div class=\"callout-content\">\n<ul>\n<li>\n<p>We recommend that you perform each of the following steps to fully determine your server\u2019s status.<\/p>\n<\/li>\n<li>\n<p>Your server\u2019s architecture determines the output that you receive when you run the commands in this section. 32-bit systems use <code>lib<\/code>. 64-bit systems use the <code>\/lib64<\/code> library. The <code>\/lib64<\/code> library may also contain a <code>lib<\/code> directory with 32-bit libraries for compatibility purposes. To find your server\u2019s architecture, run the <code>arch<\/code> command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">[user@host <span style=\"color:#f92672\">~<\/span>]$ arch<\/code><\/pre>\n<\/div>\n<p> The output will resemble one of the following examples:<\/p>\n<ul>\n<li>64-bit server \u2014 <code>x86_64<\/code><\/li>\n<li>32-bit server \u2014 <code>i386<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul><\/div>\n<\/div>\n<h4 id=\"verify-the-keyutils-libs-package\">Verify the keyutils-libs package.<\/h4>\n<p>Changes should not occur on your system without your consent. To check for changes on your system, run either of the following commands:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">rpm<\/span> <span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">V<\/span> <span style=\"color:#a6e22e\">keyutils<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">libs<\/span>\n<span style=\"color:#a6e22e\">netstat<\/span> <span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">plan<\/span> | <span style=\"color:#a6e22e\">grep<\/span> <span style=\"color:#a6e22e\">atd<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>This command does <strong>not<\/strong> return output on non-compromised systems. On compromised systems, this command returns the following output: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\"><span style=\"color:#f92672\">\u2026.<\/span>L<span style=\"color:#f92672\">\u2026<\/span>    <span style=\"color:#e6db74\">\/lib64\/<\/span>libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1<\/span><\/code><\/pre>\n<\/div>\n<div class=\"callout callout-info\">\n<div class=\"callout-heading\">Note:<\/div>\n<div class=\"callout-content\">\n        Ebury control system operators often patch the MD5 sums of the <code>libkeyutils1<\/code> package to match the old packages, so an MD5 check may not reveal compromised packages.\n    <\/div>\n<\/div>\n<h4 id=\"check-the-files-installation-source\">Check the files\u2019 installation source.<\/h4>\n<p>If the command in Step 1 returns output, verify whether an RPM provided the files. To do this, run the following command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">rpm <span style=\"color:#f92672\">-<\/span>qf <span style=\"color:#e6db74\">\/lib64\/<\/span>libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1<\/span><\/code><\/pre>\n<\/div>\n<div class=\"callout callout-info\">\n<div class=\"callout-heading\">Note:<\/div>\n<div class=\"callout-content\">\n        In this example, <code>\/lib64\/libkeyutils.so.1<\/code> represents the file to verify.\n    <\/div>\n<\/div>\n<p>On non-compromised systems, the output resembles the following example: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">keyutils<span style=\"color:#f92672\">-<\/span>libs<span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.4<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">5<\/span><span style=\"color:#f92672\">.<\/span>el6<span style=\"color:#f92672\">.<\/span>i686<\/code><\/pre>\n<\/div>\n<p>On compromised systems, the output resembles the following example: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">file <span style=\"color:#e6db74\">\/lib64\/<\/span>tls<span style=\"color:#f92672\">\/<\/span>libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1.5<\/span> is <span style=\"color:#f92672\">not<\/span> owned by any <span style=\"color:#66d9ef\">package<\/span><\/code><\/pre>\n<\/div>\n<h3 id=\"verify-the-file-that-links-to-the-libkeyutils-so-1-file\">Verify the file that links to the libkeyutils.so.1 file.<\/h3>\n<p>To see which file links to the <code>libkeyutils.so.1<\/code> file, run the following command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">ls <span style=\"color:#f92672\">-<\/span>l <span style=\"color:#e6db74\">\/lib64\/<\/span>libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1<\/span><\/code><\/pre>\n<\/div>\n<p>On non-compromised systems, the output will resemble the following example: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">lrwxrwxrwx <span style=\"color:#ae81ff\">1<\/span> root root <span style=\"color:#ae81ff\">18<\/span> Feb <span style=\"color:#ae81ff\">20<\/span> <span style=\"color:#ae81ff\">12<\/span>:<span style=\"color:#ae81ff\">15<\/span> <span style=\"color:#e6db74\">\/lib64\/<\/span>libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1<\/span> <span style=\"color:#f92672\">-&gt;<\/span> libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1.3<\/span><span style=\"color:#f92672\">*<\/span><\/code><\/pre>\n<\/div>\n<p>On compromised systems, the output will return one or more of the following files:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">libkeyutils<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1.9<\/span>\n<span style=\"color:#a6e22e\">libkeyutils<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1.3.2<\/span>\n<span style=\"color:#a6e22e\">libkeyutils<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.2<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.2<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<h4 id=\"check-the-strings-for-all-libkeyutils-libraries-for-items-that-relate-to-networking\">Check the strings for all libkeyutils.* libraries for items that relate to networking.<\/h4>\n<p>The default <code>libkeyutils.so.1.3<\/code> file should <strong>not<\/strong> contain the following strings:<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">4\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">connect<\/span>\n<span style=\"color:#a6e22e\">socket<\/span>\n<span style=\"color:#a6e22e\">inet_ntoa<\/span>\n<span style=\"color:#a6e22e\">gethostbyname<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>To check your system for these strings, run the following command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">strings <span style=\"color:#e6db74\">\/lib64\/<\/span>libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1.3<\/span> <span style=\"color:#f92672\">|<\/span> egrep <span style=\"color:#e6db74\">'connect|socket|inet_ntoa|gethostbyname'<\/span><\/code><\/pre>\n<\/div>\n<p>This command does <strong>not<\/strong> return output on non-compromised systems. On compromised systems, this command returns the following output:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">4\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">connect<\/span>\n<span style=\"color:#a6e22e\">socket<\/span>\n<span style=\"color:#a6e22e\">inet_ntoa<\/span>\n<span style=\"color:#a6e22e\">gethostbyname<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<h4 id=\"check-sshd-processes\">Check sshd processes.<\/h4>\n<p>On compromised servers, <code>sshd<\/code> processes use shared memory segments.<\/p>\n<p>To check whether any <code>sshd<\/code> processes currently use shared memory segments, run the following command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">ipcs <span style=\"color:#f92672\">-<\/span>mp<\/code><\/pre>\n<\/div>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#f92672\">------<\/span> <span style=\"color:#a6e22e\">Shared<\/span> <span style=\"color:#a6e22e\">Memory<\/span> <span style=\"color:#a6e22e\">Creator<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">Last<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">op<\/span> <span style=\"color:#f92672\">--------<\/span>\n<span style=\"color:#a6e22e\">shmid<\/span>      <span style=\"color:#a6e22e\">owner<\/span>      <span style=\"color:#a6e22e\">cpid<\/span>       <span style=\"color:#a6e22e\">lpid<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>On a compromised server, the output will resemble the following example:<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">4\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">5\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">6\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">7\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">8\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#f92672\">------<\/span> <span style=\"color:#a6e22e\">Shared<\/span> <span style=\"color:#a6e22e\">Memory<\/span> <span style=\"color:#a6e22e\">Creator<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">Last<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">op<\/span> <span style=\"color:#f92672\">--------<\/span>\n<span style=\"color:#a6e22e\">shmid<\/span>      <span style=\"color:#a6e22e\">owner<\/span>      <span style=\"color:#a6e22e\">cpid<\/span>       <span style=\"color:#a6e22e\">lpid<\/span>\n<span style=\"color:#ae81ff\">1769472<\/span>    <span style=\"color:#a6e22e\">root<\/span>       <span style=\"color:#ae81ff\">1975<\/span>       <span style=\"color:#ae81ff\">1975<\/span>\n<span style=\"color:#ae81ff\">2129921<\/span>    <span style=\"color:#a6e22e\">root<\/span>       <span style=\"color:#ae81ff\">2931<\/span>       <span style=\"color:#ae81ff\">2940<\/span>\n<span style=\"color:#ae81ff\">1736706<\/span>    <span style=\"color:#a6e22e\">root<\/span>       <span style=\"color:#ae81ff\">1965<\/span>       <span style=\"color:#ae81ff\">1965<\/span>\n<span style=\"color:#ae81ff\">2162691<\/span>    <span style=\"color:#a6e22e\">root<\/span>       <span style=\"color:#ae81ff\">2931<\/span>       <span style=\"color:#ae81ff\">2940<\/span>\n<span style=\"color:#ae81ff\">2195460<\/span>    <span style=\"color:#a6e22e\">root<\/span>       <span style=\"color:#ae81ff\">2931<\/span>       <span style=\"color:#ae81ff\">2940<\/span>\n<span style=\"color:#ae81ff\">2228229<\/span>    <span style=\"color:#a6e22e\">postgres<\/span>   <span style=\"color:#ae81ff\">4011<\/span>       <span style=\"color:#ae81ff\">6813<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>If any programs use shared memory segments, run the <code>ps<\/code> command, for example:<\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">ps aux <span style=\"color:#f92672\">|<\/span> grep <span style=\"color:#ae81ff\">1975<\/span><\/code><\/pre>\n<\/div>\n<p>This command checks whether any of the items in the <code>cpid<\/code> and <code>lpid<\/code> columns correspond to the <code>sshd<\/code> processes. The output will resemble the following example:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">root<\/span>     <span style=\"color:#ae81ff\">1975<\/span>  <span style=\"color:#ae81ff\">0.0<\/span>  <span style=\"color:#ae81ff\">0.0<\/span>  <span style=\"color:#ae81ff\">64080<\/span>  <span style=\"color:#ae81ff\">1172<\/span> <span style=\"color:#960050;background-color:#1e0010\">?<\/span>        <span style=\"color:#a6e22e\">Ss<\/span>   <span style=\"color:#a6e22e\">Feb17<\/span>\n<span style=\"color:#ae81ff\">0<\/span>:<span style=\"color:#ae81ff\">00<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">usr<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">sbin<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">sshd<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<h4 id=\"monitor-outbound-udp-port-53-traffic\">Monitor outbound UDP port 53 traffic.<\/h4>\n<p>We recommend that you use a network data capture tool, such as the <code>tcpdump<\/code> utility, to monitor outbound User Datagram Protocol (UDP) on port 53. This utility returns DNS traffic between your server and the local resolvers that reside in your <code>\/etc\/resolv.conf<\/code> file.<\/p>\n<p>To monitor outbound UDP on port 53, run the following command:<\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">[root@host <span style=\"color:#f92672\">~<\/span>]<span style=\"color:#75715e\"># tcpdump -Annvvs 1500 -i any udp and dst port 53<\/span><\/code><\/pre>\n<\/div>\n<p>On a non-compromised server, the output will resemble the following example: <\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">4\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">5\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">6\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#ae81ff\">22<\/span>:<span style=\"color:#ae81ff\">18<\/span>:<span style=\"color:#ae81ff\">22.038264<\/span> <span style=\"color:#a6e22e\">ARP<\/span>, <span style=\"color:#a6e22e\">Request<\/span> <span style=\"color:#a6e22e\">who<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">has<\/span> <span style=\"color:#ae81ff\">10.147.0.62<\/span> <span style=\"color:#a6e22e\">tell<\/span> <span style=\"color:#ae81ff\">10.147.0.64<\/span>, <span style=\"color:#a6e22e\">length<\/span> <span style=\"color:#ae81ff\">46<\/span>\n<span style=\"color:#ae81ff\">22<\/span>:<span style=\"color:#ae81ff\">18<\/span>:<span style=\"color:#ae81ff\">22.244856<\/span> <span style=\"color:#a6e22e\">ARP<\/span>, <span style=\"color:#a6e22e\">Request<\/span> <span style=\"color:#a6e22e\">who<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">has<\/span> <span style=\"color:#ae81ff\">10.147.0.64<\/span> <span style=\"color:#a6e22e\">tell<\/span> <span style=\"color:#ae81ff\">10.147.0.61<\/span>, <span style=\"color:#a6e22e\">length<\/span> <span style=\"color:#ae81ff\">46<\/span>\n<span style=\"color:#ae81ff\">22<\/span>:<span style=\"color:#ae81ff\">18<\/span>:<span style=\"color:#ae81ff\">22.245149<\/span> <span style=\"color:#a6e22e\">ARP<\/span>, <span style=\"color:#a6e22e\">Request<\/span> <span style=\"color:#a6e22e\">who<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">has<\/span> <span style=\"color:#ae81ff\">10.147.0.61<\/span> <span style=\"color:#a6e22e\">tell<\/span> <span style=\"color:#ae81ff\">10.147.0.64<\/span>, <span style=\"color:#a6e22e\">length<\/span> <span style=\"color:#ae81ff\">46<\/span>\n<span style=\"color:#ae81ff\">22<\/span>:<span style=\"color:#ae81ff\">18<\/span>:<span style=\"color:#ae81ff\">22.888851<\/span> <span style=\"color:#a6e22e\">b4<\/span>:<span style=\"color:#ae81ff\">99<\/span>:<span style=\"color:#a6e22e\">ba<\/span>:<span style=\"color:#ae81ff\">02<\/span>:<span style=\"color:#ae81ff\">18<\/span>:<span style=\"color:#ae81ff\">66<\/span> &gt; <span style=\"color:#a6e22e\">Broadcast<\/span>, <span style=\"color:#a6e22e\">ethertype<\/span> <span style=\"color:#a6e22e\">Unknown<\/span>    (<span style=\"color:#ae81ff\">0xcafe<\/span>), <span style=\"color:#a6e22e\">length<\/span> <span style=\"color:#ae81ff\">90<\/span>:\n        <span style=\"color:#ae81ff\">0x0000<\/span>:  <span style=\"color:#ae81ff\">0500<\/span> <span style=\"color:#ae81ff\">0100<\/span> <span style=\"color:#ae81ff\">0900<\/span> <span style=\"color:#ae81ff\">0000<\/span> <span style=\"color:#ae81ff\">0100<\/span> <span style=\"color:#a6e22e\">ffff<\/span> <span style=\"color:#ae81ff\">0<\/span><span style=\"color:#a6e22e\">c00<\/span> <span style=\"color:#ae81ff\">0002<\/span>  <span style=\"color:#f92672\">...<\/span>.. <span style=\"color:#f92672\">.........<\/span>..\n        <span style=\"color:#ae81ff\">0x0010<\/span>:  <span style=\"color:#ae81ff\">4<\/span><span style=\"color:#a6e22e\">c00<\/span> <span style=\"color:#ae81ff\">0000<\/span> <span style=\"color:#ae81ff\">0000<\/span> <span style=\"color:#ae81ff\">0000<\/span> <span style=\"color:#ae81ff\">8300<\/span> <span style=\"color:#ae81ff\">00<\/span><span style=\"color:#ae81ff\">80<\/span> <span style=\"color:#ae81ff\">0000<\/span> <span style=\"color:#ae81ff\">0000<\/span>  <span style=\"color:#a6e22e\">L<\/span><span style=\"color:#f92672\">...............<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>On a compromised server, the output will resemble the following example: <\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">4\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#ae81ff\">07<\/span>:<span style=\"color:#ae81ff\">54<\/span>:<span style=\"color:#ae81ff\">48.233159<\/span> <span style=\"color:#a6e22e\">IP<\/span> (<span style=\"color:#a6e22e\">tos<\/span> <span style=\"color:#ae81ff\">0x0<\/span>, <span style=\"color:#a6e22e\">ttl<\/span>  <span style=\"color:#ae81ff\">64<\/span>, <span style=\"color:#a6e22e\">id<\/span> <span style=\"color:#ae81ff\">31281<\/span>, <span style=\"color:#a6e22e\">offset<\/span> <span style=\"color:#ae81ff\">0<\/span>, <span style=\"color:#a6e22e\">flags<\/span> [<span style=\"color:#a6e22e\">DF<\/span>],\n<span style=\"color:#a6e22e\">proto<\/span>: <span style=\"color:#a6e22e\">UDP<\/span> (<span style=\"color:#ae81ff\">17<\/span>), <span style=\"color:#a6e22e\">length<\/span>: <span style=\"color:#ae81ff\">91<\/span>) <span style=\"color:#ae81ff\">1.2.3.4.43089<\/span> &gt; <span style=\"color:#ae81ff\">72.156.139.154.53<\/span>:\n[<span style=\"color:#a6e22e\">bad<\/span> <span style=\"color:#a6e22e\">udp<\/span> <span style=\"color:#a6e22e\">cksum<\/span> <span style=\"color:#a6e22e\">d7a9<\/span>!]  <span style=\"color:#ae81ff\">4619<\/span><span style=\"color:#f92672\">+<\/span> <span style=\"color:#a6e22e\">A<\/span><span style=\"color:#960050;background-color:#1e0010\">?<\/span>\n<span style=\"color:#ae81ff\">6196<\/span><span style=\"color:#a6e22e\">g8f43a4facd3561de4gec736fb<\/span><span style=\"color:#ae81ff\">.5.5.5.5<\/span>. (<span style=\"color:#ae81ff\">63<\/span>)<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<div class=\"callout callout-warning\">\n<div class=\"callout-heading\">Important:<\/div>\n<div class=\"callout-content\">\n<p>The example of the packet above shows that the cPanel server at <code>1.2.3.4<\/code> sends a UDP packet on port 53 to the host at <code>72.156.139.154<\/code>. You should notice the following false query from the example above: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\"><span style=\"color:#ae81ff\">6196<\/span>g8f43a4facd3561de4gec736fb<span style=\"color:#ae81ff\">.5.5.5.5<\/span>{<\/code><\/pre>\n<\/div>\n<ul>\n<li>The IP address that you used to log in to the server.<\/li>\n<li>The login password.<\/li>\n<\/ul><\/div>\n<\/div>\n<h4 id=\"verify-that-each-library-that-sshd-links-against-belongs-to-a-known-package\">Verify that each library that sshd links against belongs to a known package.<\/h4>\n<p>To check the libraries that the <code>sshd<\/code> daemon links against, run the following command <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">ldd <span style=\"color:#e6db74\">\/usr\/s<\/span>bin<span style=\"color:#f92672\">\/<\/span>sshd<\/code><\/pre>\n<\/div>\n<p>The output will resemble the following example: <\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">4\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">5\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">6\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">7\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">libnspr4<\/span>.<span style=\"color:#a6e22e\">so<\/span> =&gt; <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libnspr4<\/span>.<span style=\"color:#a6e22e\">so<\/span> (<span style=\"color:#ae81ff\">0x00007fcb04a30000<\/span>)\n<span style=\"color:#a6e22e\">libfreebl3<\/span>.<span style=\"color:#a6e22e\">so<\/span> =&gt; <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libfreebl3<\/span>.<span style=\"color:#a6e22e\">so<\/span> (<span style=\"color:#ae81ff\">0x00007fcb0482d000<\/span>)\n<span style=\"color:#a6e22e\">libkrb5support<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.0<\/span> =&gt; <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libkrb5support<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.0<\/span> (<span style=\"color:#ae81ff\">0x00007fcb0461d000<\/span>)\n<span style=\"color:#a6e22e\">libkeyutils<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> =&gt; <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libkeyutils<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> (<span style=\"color:#ae81ff\">0x00007fcb04419000<\/span>)\n<span style=\"color:#a6e22e\">libattr<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> =&gt; <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libattr<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> (<span style=\"color:#ae81ff\">0x00007fcb04213000<\/span>)\n<span style=\"color:#a6e22e\">libelf<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> =&gt; <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libelf<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> (<span style=\"color:#ae81ff\">0x00007fcb03ffb000<\/span>)\n<span style=\"color:#a6e22e\">libbz2<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> =&gt; <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libbz2<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1<\/span> (<span style=\"color:#ae81ff\">0x00007fcb03dea000<\/span>)<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>To verify that these libraries belong to a valid package, run the following command: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">rpm <span style=\"color:#f92672\">-<\/span>qf <span style=\"color:#e6db74\">\/lib64\/<\/span>libfipscheck<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1<\/span><\/code><\/pre>\n<\/div>\n<p>The output will resemble the following example: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">fipscheck<span style=\"color:#f92672\">-<\/span>lib<span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">1.2.0<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">7<\/span><span style=\"color:#f92672\">.<\/span>el6<span style=\"color:#f92672\">.<\/span>x86_64<\/code><\/pre>\n<\/div>\n<h4 id=\"perform-an-ld-debug-check\">Perform an LD_DEBUG check<\/h4>\n<p>To check the libraries with the <code>LD_DEBUG<\/code> program, which searches for Indicators of Compromise (IOC), run the following command <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">LD_DEBUG<span style=\"color:#f92672\">=<\/span>symbols <span style=\"color:#e6db74\">\/bin\/<\/span>true <span style=\"color:#ae81ff\">2<\/span><span style=\"color:#f92672\">&gt;&<\/span><span style=\"color:#ae81ff\">1<\/span> <span style=\"color:#f92672\">|<\/span> egrep <span style=\"color:#e6db74\">'\/lib(keyutils|ns[25]|pw[35]|s[bl]r).'<\/span><\/code><\/pre>\n<\/div>\n<p>The program will return any indicators of a compromise.<\/p>\n<h4 id=\"perform-an-objdump-check\">Perform an objdump check<\/h4>\n<p>The <code>objdump<\/code> command reports information about object files. You can use this command to determine if a needed file displays suspicious characteristics or behavior<\/p>\n<p>To check the libraries with the <code>LD_DEBUG<\/code> program, run the following command, where <code>\/path\/to\/libkeyutils.so.1<\/code> represents the full path to the suspected file: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">objdump <span style=\"color:#f92672\">-<\/span>x <span style=\"color:#e6db74\">\/path\/<\/span>to<span style=\"color:#f92672\">\/<\/span>libkeyutils<span style=\"color:#f92672\">.<\/span>so<span style=\"color:#ae81ff\">.1<\/span> <span style=\"color:#f92672\">|<\/span> grep NEEDED <span style=\"color:#f92672\">|<\/span> grep <span style=\"color:#f92672\">-<\/span>v <span style=\"color:#f92672\">-<\/span>F <span style=\"color:#f92672\">-<\/span>e libdl<span style=\"color:#f92672\">.<\/span>so <span style=\"color:#f92672\">-<\/span>e libc<span style=\"color:#f92672\">.<\/span>so<\/code><\/pre>\n<\/div>\n<p>The program will return the phrase <code>NEEDED<\/code> if any indicators of a compromise exist.<\/p>\n<h3 id=\"root-level-compromises\">root-level compromises<\/h3>\n<h4 id=\"check-for-suspicious-library-files\">Check for suspicious library files<\/h4>\n<p>For example, the <code>\/lib64\/libpw5.so<\/code> file is part of the Ebury Rootkit, and clean systems do not usually contain this file. That file may use other names which the We Live Security analysis of the Ebury Rootkit document lists.<\/p>\n<p>Llibrary files normally use less than 10Kb. Any library file that uses over 10Kb strongly indicates a compromise.<\/p>\n<p>To check for the existence of the <code>\/lib64\/libpw5.so<\/code> library file, run the following command:\n<\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\">ls <span style=\"color:#e6db74\">\/lib64\/<\/span>libpw5<span style=\"color:#f92672\">.<\/span>so<\/code><\/pre>\n<\/div>\n<p>This command returns the following output when the file does not exist: <\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\"><span style=\"color:#e6db74\">\/bin\/<\/span>ls: cannot access <span style=\"color:#e6db74\">\/lib64\/<\/span>libpw5<span style=\"color:#f92672\">.<\/span>so: No such file <span style=\"color:#f92672\">or<\/span> directory<\/code><\/pre>\n<\/div>\n<p>On compromised systems, this command returns output that resembles the following example:\n<\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\"><span style=\"color:#e6db74\">\/lib64\/<\/span>libpw5<span style=\"color:#f92672\">.<\/span>so<\/code><\/pre>\n<\/div>\n<p>Additionally, the system uses <code>yum<\/code> or <code>rpm<\/code> to install most library files. If we query the RPM database for the <code>\/lib64\/libpw5.so<\/code> file and it returns a <code>Not Owned By Any Package<\/code> error, then the server may be compromised.<\/p>\n<div class=\"callout callout-warning\">\n<div class=\"callout-heading\">Important:<\/div>\n<div class=\"callout-content\">\n        New variants of the Rootkit may falsify RPM package management. We recommend that you verify the file\u2019s hash with the instructions in the following section.\n    <\/div>\n<\/div>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">rpm<\/span> <span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">qf<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">file<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span> <span style=\"color:#a6e22e\">is<\/span> <span style=\"color:#a6e22e\">not<\/span> <span style=\"color:#a6e22e\">owned<\/span> <span style=\"color:#a6e22e\">by<\/span> <span style=\"color:#a6e22e\">any<\/span> <span style=\"color:#f92672\">package<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<h4 id=\"check-the-file-hash\">Check the file hash.<\/h4>\n<p>Run the <code>sha256<\/code> hash of the file through the VirusTotal website to check it against pre-existing scans of the same file.<\/p>\n<p>For example, to generate the sha256 hash for the <code>\/lib64\/libpw5.so<\/code> file, run the following command:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">sha256sum<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">sha256sum<\/span>: <span style=\"color:#ae81ff\">970<\/span><span style=\"color:#a6e22e\">b49c16eebd558ac8984643f3763e76a52c9be4118f9e5830b8f5c406414fc<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>Then, navigate to the https:\/\/www.virtustotal.com\/en\/file\/hash website, where hash represents the hash of the file. In this example, you would navigate to the following website:<br \/>\nhttps:\/\/www.virustotal.com\/en\/file\/970b49c16eebd558ac8984643f3763e76a52c9be4118f9e5830b8f5c406414fc\/analysis\/<\/p>\n<p>The website should return similar results to the following output:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">3\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">SHA256<\/span>: <span style=\"color:#ae81ff\">970<\/span><span style=\"color:#a6e22e\">b49c16eebd558ac8984643f3763e76a52c9be4118f9e5830b8f5c406414fc<\/span>\n<span style=\"color:#a6e22e\">File<\/span> <span style=\"color:#a6e22e\">name<\/span>:  <span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">Detection<\/span> <span style=\"color:#a6e22e\">ratio<\/span>:    <span style=\"color:#ae81ff\">3<\/span> <span style=\"color:#f92672\">\/<\/span> <span style=\"color:#ae81ff\">58<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>These results show that at least 3 out of 5 antivirus systems detect this file as a compromise.<\/p>\n<div class=\"callout callout-info\">\n<div class=\"callout-heading\">Note:<\/div>\n<div class=\"callout-content\">\n        The VirusTotal website does <strong>not<\/strong> contain results from every potentially compromised file. We strongly recommend that you consult a qualified security specialist.\n    <\/div>\n<\/div>\n<h4 id=\"check-for-intertwined-binaries\">Check for intertwined binaries<\/h4>\n<p>Check binaries on your server to detect whether they intertwine with the suspicious file.<\/p>\n<p>For example, the following command detects whether binaries intertwine with the <code>\/lib64\/libpw5.so<\/code> file.<\/p>\n<div class=\"highlight\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-perl\" data-lang=\"perl\"><span style=\"color:#75715e\"># lsof | grep \/lib64\/libpw5.so<\/span><\/code><\/pre>\n<\/div>\n<p>The command will produce results similar to the following output:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 4\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 5\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 6\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 7\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 8\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 9\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">10\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">11\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">12\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">auditd<\/span>     <span style=\"color:#ae81ff\">1577<\/span>               <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">sshd<\/span>       <span style=\"color:#ae81ff\">2126<\/span>               <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">exim<\/span>       <span style=\"color:#ae81ff\">2622<\/span>           <span style=\"color:#a6e22e\">mailnull<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">pure<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">ftpd<\/span>  <span style=\"color:#ae81ff\">2821<\/span>               <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">pure<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">auth<\/span>  <span style=\"color:#ae81ff\">2823<\/span>               <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">cpsrvd<\/span>     <span style=\"color:#ae81ff\">2887<\/span>               <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">httpd<\/span>      <span style=\"color:#ae81ff\">3063<\/span>             <span style=\"color:#a6e22e\">nobody<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">pop3<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">logi<\/span>  <span style=\"color:#ae81ff\">3093<\/span>           <span style=\"color:#a6e22e\">dovenull<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">imap<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">logi<\/span>  <span style=\"color:#ae81ff\">3094<\/span>           <span style=\"color:#a6e22e\">dovenull<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">lmtp<\/span>       <span style=\"color:#ae81ff\">3120<\/span>               <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">named<\/span>     <span style=\"color:#ae81ff\">20066<\/span>              <span style=\"color:#a6e22e\">named<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">dnsadmin<\/span>  <span style=\"color:#ae81ff\">21983<\/span>               <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>       <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">34536<\/span>   <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>In this example, the first line shows that the <code>\/lib64\/libpw5.so<\/code> file intertwines with the <code>auditd<\/code> program. The <code>auditd<\/code> program, or Linux Auditing System, writes audit records to disk.<\/p>\n<p>If you run the <code>lsof -p 1577<\/code> command, which checks the PID of the <code>auditd<\/code> program, you will see results similar to the following:\n<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 2\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 3\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 4\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 5\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 6\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 7\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 8\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\"> 9\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">10\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">11\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">12\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">13\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">14\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">15\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">16\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">17\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">18\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">19\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">20\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#a6e22e\">COMMAND<\/span>  <span style=\"color:#a6e22e\">PID<\/span> <span style=\"color:#a6e22e\">USER<\/span>   <span style=\"color:#a6e22e\">FD<\/span>   <span style=\"color:#a6e22e\">TYPE<\/span>             <span style=\"color:#a6e22e\">DEVICE<\/span> <span style=\"color:#a6e22e\">SIZE<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">OFF<\/span>     <span style=\"color:#a6e22e\">NODE<\/span> <span style=\"color:#a6e22e\">NAME<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">cwd<\/span>    <span style=\"color:#a6e22e\">DIR<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">4096<\/span>        <span style=\"color:#ae81ff\">2<\/span> <span style=\"color:#f92672\">\/<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">rtd<\/span>    <span style=\"color:#a6e22e\">DIR<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>     <span style=\"color:#ae81ff\">4096<\/span>        <span style=\"color:#ae81ff\">2<\/span> <span style=\"color:#f92672\">\/<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">txt<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>   <span style=\"color:#ae81ff\">104544<\/span> <span style=\"color:#ae81ff\">41681130<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">sbin<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">auditd<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>    <span style=\"color:#ae81ff\">88600<\/span> <span style=\"color:#ae81ff\">16252994<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libz<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1.2.3<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>    <span style=\"color:#ae81ff\">20024<\/span> <span style=\"color:#ae81ff\">16253063<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libdl<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.12<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>  <span style=\"color:#ae81ff\">1924768<\/span> <span style=\"color:#ae81ff\">16252941<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libc<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.12<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>   <span style=\"color:#ae81ff\">596864<\/span> <span style=\"color:#ae81ff\">16253075<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libm<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.12<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>    <span style=\"color:#ae81ff\">44472<\/span> <span style=\"color:#ae81ff\">16253350<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">librt<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.12<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>   <span style=\"color:#ae81ff\">143280<\/span> <span style=\"color:#ae81ff\">16252965<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpthread<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.12<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>   <span style=\"color:#ae81ff\">145864<\/span> <span style=\"color:#ae81ff\">16252997<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libaudit<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1.0.0<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>   <span style=\"color:#ae81ff\">113904<\/span> <span style=\"color:#ae81ff\">16253078<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libnsl<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.12<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>    <span style=\"color:#ae81ff\">40792<\/span> <span style=\"color:#ae81ff\">16253035<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libwrap<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.0.7.6<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>    <span style=\"color:#ae81ff\">34536<\/span> <span style=\"color:#ae81ff\">16257536<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libpw5<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>  <span style=\"color:#ae81ff\">1971488<\/span> <span style=\"color:#ae81ff\">50333097<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">usr<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">libcrypto<\/span>.<span style=\"color:#a6e22e\">so<\/span><span style=\"color:#ae81ff\">.1.0.1<\/span><span style=\"color:#a6e22e\">e<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>  <span style=\"color:#a6e22e\">mem<\/span>    <span style=\"color:#a6e22e\">REG<\/span>                <span style=\"color:#ae81ff\">8<\/span>,<span style=\"color:#ae81ff\">3<\/span>   <span style=\"color:#ae81ff\">159312<\/span> <span style=\"color:#ae81ff\">16257525<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">lib64<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">ld<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#ae81ff\">2.12<\/span>.<span style=\"color:#a6e22e\">so<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>    <span style=\"color:#ae81ff\">0<\/span><span style=\"color:#a6e22e\">u<\/span>   <span style=\"color:#a6e22e\">CHR<\/span>                <span style=\"color:#ae81ff\">1<\/span>,<span style=\"color:#ae81ff\">3<\/span>      <span style=\"color:#ae81ff\">0<\/span><span style=\"color:#a6e22e\">t0<\/span>     <span style=\"color:#ae81ff\">3857<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">dev<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">null<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>    <span style=\"color:#ae81ff\">1<\/span><span style=\"color:#a6e22e\">u<\/span>   <span style=\"color:#a6e22e\">CHR<\/span>                <span style=\"color:#ae81ff\">1<\/span>,<span style=\"color:#ae81ff\">3<\/span>      <span style=\"color:#ae81ff\">0<\/span><span style=\"color:#a6e22e\">t0<\/span>     <span style=\"color:#ae81ff\">3857<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">dev<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">null<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>    <span style=\"color:#ae81ff\">2<\/span><span style=\"color:#a6e22e\">u<\/span>   <span style=\"color:#a6e22e\">CHR<\/span>                <span style=\"color:#ae81ff\">1<\/span>,<span style=\"color:#ae81ff\">3<\/span>      <span style=\"color:#ae81ff\">0<\/span><span style=\"color:#a6e22e\">t0<\/span>     <span style=\"color:#ae81ff\">3857<\/span> <span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">dev<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">null<\/span>\n<span style=\"color:#a6e22e\">auditd<\/span>  <span style=\"color:#ae81ff\">1577<\/span> <span style=\"color:#a6e22e\">root<\/span>    <span style=\"color:#ae81ff\">3<\/span><span style=\"color:#a6e22e\">u<\/span>  <span style=\"color:#a6e22e\">unix<\/span> <span style=\"color:#ae81ff\">0xffff8804384f1c00<\/span>      <span style=\"color:#ae81ff\">0<\/span><span style=\"color:#a6e22e\">t0<\/span>    <span style=\"color:#ae81ff\">14145<\/span> <span style=\"color:#960050;background-color:#1e0010\">@<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">tmp<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">dbus<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">JFgUwQ7Nx3<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>The last line represents a socket connection in a temporary directory, which is highly suspicious. If we check for that name with the <code>netstat<\/code> command, we see that it listens for connections:<\/p>\n<div class=\"highlight\">\n<div style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\">\n<table style=\"border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;\">\n<tr>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">1\n<\/span><span style=\"margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f\">2\n<\/span><\/code><\/pre>\n<\/td>\n<td style=\"vertical-align:top;padding:0;margin:0;border:0;;width:100%\">\n<pre style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4\"><code class=\"language-go\" data-lang=\"go\"><span style=\"color:#960050;background-color:#1e0010\">#<\/span> <span style=\"color:#a6e22e\">netstat<\/span> <span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">nap<\/span> | <span style=\"color:#a6e22e\">grep<\/span> <span style=\"color:#e6db74\">\"@\/tmp\/dbus-JFgUwQ7Nx3\"<\/span>\n<span style=\"color:#a6e22e\">unix<\/span>  <span style=\"color:#ae81ff\">2<\/span>      [ <span style=\"color:#a6e22e\">ACC<\/span> ]     <span style=\"color:#a6e22e\">STREAM<\/span>     <span style=\"color:#a6e22e\">LISTENING<\/span>     <span style=\"color:#ae81ff\">14145<\/span>  <span style=\"color:#ae81ff\">1577<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">auditd<\/span>         <span style=\"color:#960050;background-color:#1e0010\">@<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">tmp<\/span><span style=\"color:#f92672\">\/<\/span><span style=\"color:#a6e22e\">dbus<\/span><span style=\"color:#f92672\">-<\/span><span style=\"color:#a6e22e\">JFgUwQ7Nx3<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n<p>No reason exists for the <code>auditd<\/code> program to maintain a socket connection to the outside world. Likely in this case, hackers modified this binary enough to search for SSH keys or <code>root<\/code> passwords, which the binary then sends to a Command and Control server for later use.<\/p>\n<h4 id=\"faq\">FAQ<\/h4>\n<h5 id=\"how-does-a-root-compromise-differ-from-a-site-compromise\">How does a root compromise differ from a site compromise?<\/h5>\n<p>A site compromise occurs on a specific website and malicious attackers can only steal information from that website, not from any others. A <code>root<\/code> compromise exposes the entire server to theft, such as SSH keys and passwords. It can also cause enough damage to the server so that it can no longer boot.<\/p>\n<h5 id=\"but-what-about-symlink-hacks-that-can-hack-multiple-websites\">But what about symlink hacks that can hack multiple websites?<\/h5>\n<p>Most experts do not consider symlink hacks themselves to be root compromises, even though they look like they have hacked multiple accounts. The server itself is usually not in any danger.<\/p>\n<p>For more information on how to prevent symlink hacks, read our Symlink Race Condition Protection documentation.<\/p>\n<h5 id=\"i-ve-seen-symlinks-that-can-grab-the-etc-passwd-file-isn-t-that-a-root-compromise\">I\u2019ve seen symlinks that can grab the <code>\/etc\/passwd<\/code> file. Isn\u2019t that a root compromise?<\/h5>\n<p>No. The <code>\/etc\/passwd<\/code> file <strong>must<\/strong> be readable, but this does not represent a <code>root<\/code> compromise. The system stores password hashes in the <code>\/etc\/shadow<\/code> file, which you cannot simply view with a symlink hack. A further definition of a <code>root<\/code>-level compromise is one where an unauthorized user gains access to it. You may not lose much from a particular attack, but any unauthorized access has the potential for further breaches.<\/p>\n<p>Every rootkit has at lease 2 purposes:<\/p>\n<ul>\n<li>Hides the attacker.<\/li>\n<li>Grants access to the attacker.<\/li>\n<\/ul>\n<p>A <code>root<\/code>-level compromise exposes the <strong>entire<\/strong> server, and you should consider <strong>everything<\/strong> a loss. You can no longer trust any data, any configuration information, and probably any connectivity information and passwords. An attacker will likely want to continue to access to the server, and they will try to configure the system as to perform normally. This makes rootkits difficult to detect, but it is not impossible to detect them.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Overview cPanel\u2019s Technical Support department detected the following security issues: Compromised RPMs in the OpenSSH binaries. Compromised libkeyutils directories. root-level compromises. In these cases, Trojan horses (Trojans) affected files that these directories and binaries contain. We strongly recommend that hosting providers and system administrators use this document to determine the status of their systems. Note: &hellip;<\/p>\n","protected":false},"author":1,"featured_media":331,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/330"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=330"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/330\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/331"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}