0

I have a server with cPanel installed on Centos 5.9.

Three days ago, my server provider told me I'm infected by "Ebury Trojan".

I read a lot of things saying that the openSSH server coming with cPanel may be infeted and how to detect it. Some says that the package using "Yum" may be corrupted as well.

So how to remove the ebury trojan once and for all?

How can I install a clean openSSH version on cPanel / Centos 5.9?

How to be sure my server will not be corrupted by this trojan as it sends passwords to third parties (of course I've changed the passwords)?

Marm
  • 141

1 Answers1

1

Original (circa 2011) ebury was pretty lame...You could clear it by doing: yum update sshd. Pretty trivial.

If you trust your repo's (and rpm), you can do rpm -vVa and it'll show you every installed rpm where the md5 doesn't match the one stored on the server.

Problem is that the attacker can be assumed to have acquired root level access, and that means you could be screwed past the ability to diagnose it from the local machine. If you can't run a file integrity scanner off an unaffected machine, then you're never going to be sure unless you rebuild from scratch.

Satanicpuppy
  • 5,994