BuycPanel Blog

BuycPanel Blog

Latest news and updates

1/30/2015 – Is Your cPanel is Infected with the Ebury Trojan?

Posted by Jamison on 30 01 2015.

Unprotected cPanel and websites are prone to be hijacked by attackers. And if you don’t make necessary actions to stop or at least protect your cPanel by installing malware scanners, your business could get comprised. One of the viruses that usually attack cPanel is the Ebury Trojan—an extremely serious menace that is highly potent in stealing all of your files.


So how will you know if your website has been infected by the bug? There are three ways to detect the virus.


But before we move on, let’s get to know what this virus is and learn about the damages it can do to your website.


What is Ebury Trojan?


Ebury Trojan is a SSH rootkit or SSH backdoor that attacks Unix-style and Linux Oses. The hackers would connect this on SSH related binaries or any programs or accounts used by SSH. From its name, the virus buries or hides itself on any shared data of OpenSSH.


Why is it Dangerous?


Once installed, the Trojan does its job by stealing login credentials—both when logging in or out of your machine or website—from the infected server to remote servers. From here, the collected information will be stored and hidden as a Domain Name System (DNS)-like request so you won’t recognize the activity.


Aside from stealing your machine’s data, it can also loot SSH Private keys, manage your login files and worst, take full control of your entire computer and remain undetected all throughout. Although it does not have a capability to replicate itself, since it attacks on a root level, not recognizing it on your machine can actually spread its infection in no time and the damage can be limitless.


How Do You Recognize if Your cPanel is Infected?


  1. You should receive a notification that asks you to do some changes in your website—a blank output to be exact. Or your hosting provider should inform you that your system has been infected. In this case, you should find a libkeyutils file or something like this: /lib64/


  1. If you see any output that reads as the three items written below, then that file connected to the /lib64/ is infected. Any file larger than 25 kB should be treated as a malicious segment of the Trojan.




  1. If you see any output with names or words written below on any of your files that are linked to networking, then your system has been attacked by the Ebury Trojan.


  • gethostbyname
  • socket
  • inet_ntoa
  • connect


If your output reads as [user@host ~]$, your system has not been, in any way, infected by the virus.


Having a website is like having a baby. It is a serious responsibility that needs extra care and attention so as to keep your child away from diseases. Just like taking care of a newborn, maintaining your cPanel is indeed a challenging job as a huge part of your website’s foundation lies in it. So talk to your hosting provider and ask for any help that you can get in order to trace any Ebury Trojan in your server’s system or at least prevent this virus from attacking your baby.