IP Address 126.96.36.199 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2016-12-01 01:00 GMT (+/- 30 minutes), approximately 4 days, 29 minutes ago.
The host at this IP address is infected with the Ebury Rootkit/Backdoor trojan.
Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems. It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (such as ssh or sshd) or a shared library (such as libkeyutils.so) used by SSH.
Ebury infected hosts are used for criminal activities, such as sending out spam emails or hosting exploit kits.
How are these detected? Login credentials harvested by Ebury from SSH connections from/to your system were seen being sent to a dropzone server for the malware.
Further information can be found in CERT-Bund: Ebury SSH Rootkit. We recommend that you follow all of their instructions very carefully.
One of our correspondant's noted that (on CentOS) an infected libkeyutils.so was around 35K bytes in size, where as the correct one is around 1K. So, one quick check is to find the file (under /lib) and examine the size. If it's much over 1-2K, reinstall it (eg: "yum reinstall keyutils-libs" on CentOS) and see if it changes.
This has far more detail. Note that it demonstrates that the rootkit even changes RPM checksums, so a RPM verify will not work.
EVEN IF you cannot find libkeyutils.so, or it is the right size, ebury is probably still present in a substituted ssh, sshd or some other related file.
3 篇文章 • 第 1 頁 (共 1 頁)
正在瀏覽這個版面的使用者：沒有註冊會員 和 1 位訪客