I am not sure how they are triggering for that email; I got one for a customer we no longer have, and it had taken Cirt over three months to send it out (based on how long they had not been a customer).
I do know it has been a common root kit lately (as seen in that webhostingtalk
thread below), and a lot of cpanel customers were getting compromised with it.
** (spoiler alert if you want to read that entire thread) **
Seems cpanel support make people give them root access to login and fix things
for their customers, and rumor is that one of their support personnel was
running an infected windows with a key logger. Whomever was getting the
passwords was then installing this root kit.
Aka, never give anyone root access on your servers, and if you have to violate
that rule, give them a key that you can revoke.
On Mar 12, 2013, at 1:20 AM, Gabriel Gunderson wrote:
> Anyone seen this in the wild over the past few weeks?
>
> This is a letter that was forwarded to me from my ISP:
>
> """
> US-CERT has received information from a trusted third-party that
> systems within your net range may have been compromised. The mass
> compromise was possibly the result of an SSHD rootkit. The reporting
> party was able to do a quick check for the rootkit by typing the
> following: find /lib* -name libkeyutils\* -exec strings \{\} \; ,
> egrep 'connect,socket,inet_ntoa,
> gethostbyname'. The data may be recorded as SSH login or brute force
> attempts at these IPs. If there is output, the system is compromised.
> If not, do the checks discussed in [2]. The possible affected IPs are
> listed in the attached document.
>
> [1] http://www.webhostingtalk.com/showthread.php?t=1235797
> [2] http://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
> """
>
> So, I know a rootkit can hid itself, but:
>
> 1) I've done a pretty exhaustive review of my system and I haven't
> uncovered *anything* suspicious (log, ports, shared memory,
> timestamps, MD5s, network traffic, processes, lsof, etc.).
> 2) My distro (ClearOS, based on RHEL) issued updates pretty quick on this
> issue.
> 3) I actually update packages pretty often on this box.
>
> I haven't setup a bridge or a port mirror to see the network traffic
> from a unrelated bit of harware, but I'll do that soon.
>
> Anyway, I'm not entirely convinced they've got the right server in this case.
>
> Any thoughts on how to proceed? BTW, reinstalling this box is no big
> deal, I just don't want to do it without learning something from this.
>
>
> Best,
> Gabe
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
smime.p7s
Description: S/MIME cryptographic signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
