Linux Malware: Ebury [INFO]
Posted by on 31 March 2014 09:19 AM
In the late 2013, Security Researchers identified thousands of Linux systems around the world infected with the OpenSSH backdoor trojan and credential stealer named Linux/Ebury.
Antivirus Firm ESET's Reseach team has been tracking and investigating the operation behind Linux/Ebury and today the team uncovers the details [Report PDF] of a massive, sophisticated and organized malware campaign called 'Operation Windigo', that infected more than 500,000 computers and 25,000 dedicated servers.
How to Check, if you have been compromised?
If you use only 'ssh -G' command, a clean server will print: 'ssh: illegal option -- G', but an infected server will only print the usage. Administrators can use the following UNIX/Linux command to check:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
If your system or server was also compromised in the same campaign, it's recommended to re-install the system or re-set all passwords and private OpenSSH keys.
**For Linux platform running on WHM cPanel control panel.
For details Guide on Scanning, you may refer to this cPanel Guide KB.
For more information, you may refer to this link.
Information from CERT.