Blog

Treating Your Server from Ebury

Learn how to effectively treat and secure your server from the Ebury SSH RootKit, including detection and removal steps.

Dmytro
Ebury RootKit SSH security malware removal server security Linux Trojan

Treating Your Server from Ebury

The epidemic of the Ebury SSH RootKit has been ongoing for about a year—initial investigations into this Linux Trojan began in February 2013. New versions of this malware continue to emerge, and the number of infected operating systems is large, making treatment against this rootkit crucial.

What is Ebury?

Ebury is primarily designed for password and SSH private key theft, sending them to the attackers’ servers using specially crafted DNS requests. It can also allow unauthorized remote access to a server without logging the intruder’s activity. If left untreated, a compromised server could be used for spamming or further hacks.

Infection Methods

Common methods used to infiltrate a clean system include:

  • Brute-force password attacks.
  • Exploiting vulnerabilities in outdated system utilities.
  • Stealing passwords or keys, especially if they are reused across multiple servers.

Detecting Ebury

Ebury substitutes the libkeyutils library used by the SSH server and client. Here are the steps to check your system:

  1. Check shared memory usage: Run the command:

    ipcs -m

    Look for segments with permissions 666 and a size around 3 MB to identify an infection.

  2. Verify libkeyutils size: Use the following command:

    find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;

    If libkeyutils exceeds 25 KB, an infection is confirmed:

    • Normal: 
      -rw-r--r-- 1 root root 8528 Apr 4 2010 /lib/libkeyutils.so.1.3
    • Infected: 
      -rwxr-xr-x 1 root root 35136 Jun 22 2012 /lib64/libkeyutils.so.1.3

Removing Ebury

Do not delete libkeyutils outright as it is essential for SSH. Instead, reinstall the original library and SSH packages. Below are commands for CentOS and Debian (64bit):

CentOS 64bit

wget http://mirror.centos.org/centos/6/os/x86_64/Packages/keyutils-libs-1.4-4.el6.x86_64.rpm
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/openssh-clients-5.3p1-94.el6.x86_64.rpm
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm

Debian 64bit

wget http://ftp.us.debian.org/debian/pool/main/o/openssh/openssh-client_5.5p1-6+squeeze4_amd64.deb
wget http://ftp.us.debian.org/debian/pool/main/o/openssh/openssh-server_5.5p1-6+squeeze4_amd64.deb
wget http://ftp.us.debian.org/debian/pool/main/k/keyutils/libkeyutils1_1.4-1_amd64.deb

Reinstallation Commands

For CentOS:

rm /lib64/libkeyutils*
rpm -Uvh --replacefiles --replacepkgs ./keyutils-libs-1.4-4.el6.x86_64.rpm
rpm -Uvh --replacefiles --replacepkgs ./openssh-clients-5.3p1-94.el6.x86_64.rpm
rpm -Uvh --replacefiles --replacepkgs ./openssh-server-5.3p1-94.el6.x86_64.rpm

For Debian:

rm /lib64/libkeyutils*
dpkg -i ./libkeyutils1_1.4-1_amd64.deb
dpkg -i ./openssh-client_5.5p1-6+squeeze4_amd64.deb
dpkg -i ./openssh-server_5.5p1-6+squeeze4_amd64.deb

Final Steps

After the reinstallation, restart and check your system for the absence of the rootkit. Update your operating system and change passwords. If using key-based authentication, regenerate your key pairs, since old keys are vulnerable.

For improved security, use passwords of at least 12-15 characters, mixing uppercase, lowercase, numbers, and symbols. Simple passwords can be cracked in minutes due to modern processing power and algorithms.

P.S. Regardless of the utility of this note, make sure to backup regularly and change your passwords every 1-2 months.

Need Help?

Our support team is available 24/7 to assist you with any questions or issues.

Contact Support