User Tools

Site Tools



apt-get install chkrootkit lynis rkhunter unhide debsums

*chkrootkit Notes OpenSSH 7 shows Possible Linux/Ebury - Operation Windigo installetd

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

“System infected”
# ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips  1 Mar 2016

rkhunter --update; \
rkhunter --propupd; \
rkhunter -c --skip-keypress --pkgmgr dpkg

rkhunter --check --skip-keypress

unhide -f sys; \
unhide -f proc; \

lynis update info; \
lynis --quick

debsums -s

Automatically reinstall packages:

dpkg-query -S $(sudo debsums -c 2>&1 | sed -e "s/.*file \(.*\) (.*/\1/g") | cut -d: -f1 | sort -u

Ebury greater than 25k perms 666

# ipcs -m
------ Shared Memory Segments --------
key        shmid      owner     perms      bytes      nattch
0x000006e0 65538      root      666        3283128    0

or smaller less perms

# ipcs -m
------ Shared Memory Segments --------
key        shmid      owner     perms      bytes      nattch
0x0000091a     0      root      600        463084     0

Replacement of the shared library 'libkeyutils' can be identified by looking at the file size. Legitimate versions of the library usually are less than 15 kilobytes in size, while the malicious ones are larger than 25 kilobytes.

If exists, you are screwed esp if things are listening with netstat.

find /lib* -type f -name* -exec ls -la {} \;; \
find /lib* -type f -name; \
netstat -nap | grep "@/proc/udevd"

Snort Rule:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 \
(msg:"Ebury SSH Rootkit data exfiltration";\
content:"|12 0b 01 00 00 01|"; depth:6;\
classtype:trojan-activity; sid:9000001; rev:1;)



# Cause the PHP interpreter to handle files with a .php extension.
#AddHandler php5-script .php
#AddType text/html .php

<FilesMatch \.php$>
        SetHandler php5-script

SSL Cert:

openssl genrsa 2048 > host.key
openssl req -new -x509 -nodes -sha1 -days 3650 -key host.key > host.cert
...[enter * for the Common Name]...
openssl x509 -noout -fingerprint -text < host.cert >
cat host.cert host.key > host.pem
chmod 400 host.key host.pem

The Hard Way:

openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr

cp server.key
openssl rsa -in -out server.key

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


Force SSL:

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Allow local updates:

security.txt · Last modified: 2016/08/07 21:00 by vinny