BuycPanel Blog

BuycPanel Blog

Latest news and updates

7/19/2013 – Security and Malware Invasion

Posted by Jamison on 19 07 2013.

Internet has gone beyond that point where it only offers convenience to people. In the case of cPanel and WHM, it serves as a way for people to easily manage their servers and websites remotely and easily. Nevertheless, the scare of malware invasion worries countless cPanel users.

 

cPanel security experts admitted that even cPanel has been compromised. They identified two factors of cPanel that were ‘trojaned’. Trojaned refers to the term when Trojan malwares affected a certain system. With this occurring in the system, it’s important for every cPanel users to check if their cPanels were compromised.

 

Why inspect system’s status?

 

Inspecting cPanel’s status requires numerous procedures and many people don’t want to do specific procedures unless they’re necessary. This procedure is necessary since Ebury Trojan, the Trojan malware affecting cPanel elements, affect authentication methods by collecting codes and passwords. Collected details will be sent to another individuals or third party groups, which now compromises the whole system in terms of security.

 

Affected cPanel elements

 

According to experts’ studies, trojaned cPanel elements include the RPMS in the OpenSSH binaries and libkeyutils. They include several options on how to inspect for malware-affected elements. Do the following procedures and find out how it will work for you.

 

OpenSSH RPMs

 

RPMs in OpenSSH can show indications that they have been compromised with malwares. Experts noted that regarding RedHat and CentOS systems, ssh, sshd, ssh-askpass, and ssh-keygen can show you evidences of malware invasion like the following:

 

  • Presence of release numbers. Release numbers, comes in three digits, should not appear when RPMs are accessed. You should have the following output in checking your RPMs.
  • openssh-server-5.3p1-81.el6_3.x86_64
  • openssh-clients-5. 3p1-81.el6_3.x86_64
  • openssh-5. 3p1-81.el6_3.x86_64

     

    However, compromised RPMs will show these elements with added three digits of the release number. Trojan uses these numbers to prevent upgrades in overwriting them in the future. In these examples, let ‘xyz’ represent the release number of the system.

     

  • openssh-askpass-4.3p2-xyz.el5_67.3
  • openssh-server-5.3p1-xyz.el6_10.41.x86_64
  • RPM change logs don’t have installed release details.
  • Unsigned RPMs.

 

On the important note, some RPMs may not have complete change log details or show unsigned on a typical cPanel and WHM installation. Aside from OpenSSH, an RPM without signature is not indicative of malware invasion.

 

Libekeyutils

 

cPanel experts provided six commands that can help check for malware invasion. They recommend to run other commands even if the ones you used show positive results. Here are examples of commands used for malware invasion check.

 

Command1 – Verify keyutil-libs package

 

Naturally, you should authorize all changes occurring within your system. Hence, it should show that no changes occur within the system without your knowledge, which is indicated by:

 

  • [user@host ~] $

 

However, some changes probably occurred if it showed this:

 

  • ….L…      /lib64/libkeyutils.so.1

 

Command 2 – Verifying the file linked to the changes

 

Since changes occurred in the system, you must know where this change is connected to. Considering the example above, run this command to see the file connected to the changes:

 

  • [user@host ~] $ ls –l /lib64/libkeyutils.so.1

 

An uncompromised system should show the following syntax at the last part of the output:

 

  • /lib64/libkeyutils.so.1 -> libkeyutils.so.1.3*

 

If the last number consists of other additional numbers or didn’t show a similar syntax, then you’re server is probably compromised.

 

Command 3 – Verify terms or codes connected to networking

 

When you check for the linked file within the libkeyutils, use the following keywords that may indicate signs of networking and probable malware invasion.

 

  • Socket
  • Connect
  • inet_ntoa
  • gethostbyname

 

Having these terms as the output of linked file verification indicates potential unauthorized access.

 

Inspecting malware invasion will let you know if unauthorized access is done within your server. Check your servers today and do necessary steps that can protect your system or prevent further malware invasion. You can also visit cPanel’s documentation for determining system status to learn more about the other commands for libkeyutils.