[important]Exploit!

Given so many attack vectors have been ruled out already I wouldn't be surprised if this is a case of the admins' machines getting infected.
 
x3sphere said:
Given so many attack vectors have been ruled out already I wouldn't be surprised if this is a case of the admins' machines getting infected.
Click to expand...
I doubt that. Here's why.

One person had 10 servers online. 3 were hacked.
Another had 3 servers. 1 hacked.
One admin said his company has 262 CentOS servers and 20 were compromised.
All reports are from servers running CentOS and 1 person saying a Debian server was exploited.

If the admins computer was hacked why aren't all the servers he maintains compromised?
Why is this specific to CentOS?
Wouldn't the hacker have access to distros including Windows servers?

I am starting to think this is something that might never be solved because there hasn't been an real press about it yet. While WHT is a big community it is a small group that is discussing this. Until it gets main stream coverage from the big news outlets the real good forensic people will not be looking at it. I have no doubt that if this was a Windows exploit the fix and patch would already be main stream. It's sad to say, but, Linux while widely used as a server OS does not get the the big security boys looking at it until a site like Facebook, Twitter or Google are exploited. Then it's big news.
 
you'd think if this was a kernel 0-day or any type of 0-day for that matter then these hackers would be doing more then using it on small fish (it's even being manually re-added by the hacker/s, as some claim after wiping their OS). Even for spammers it seems like a waste of a perfectly good exploit (if it is). Another Debian guy here claiming to be hacked as well;
lrwxrwxrwx 1 root root 18 Nov 16 22:05 libkeyutils.so.1 -> libkeyutils.so.1.9
Click to expand...
 
For the time being I've disabled all mail servers and processes.

XenForo only needs the built in php send mail command to function anyways... ie... You can setup a server without any mail and php alone will send out email.

exim
mailman
imap
spamd


All gone. Can't play with what is not there :)

While this may not be perfect... There is no current cure, resolve, or solution to this problem (for anyone). It is the only means that seems to work, for now.
 
I know, I'm fed up of having to read through all the crap just to get the facts. I've installed AVG Free on both my VPS as that is now able to detect the infected file regardless of the name being used.
 
Did you put all those files you had upload to the new server on the LiveCD?

I do think this is a local compromise of boxes connecting to the server. The main reason I suspect this is none of the big security guys have talked about it yet. It is pretty much specific to WHT and a couple other sites. Someone mentioned that maybe an ad on WHT served up the malware. This is possible. I am an admin at a site iNet the owner of WHT used to own. The new owner uses the same ad network. Last month one of the ads was serving up malware. When we took apart and analyzed the payload binary we found it was a keylogger and rootkit and it was using an exploit in flash player to drop the payload.

Also speedtest.net was compromised a couple weeks ago so there is no telling how many people might have been hacked.
 
The blackhole exploit was updated to be particularly vicious at the end of last year, unfortunately it never got much coverage and many MANY people are vunerable.

Given the cost of renting it ($600 per day iirc) people using this exploit would be specifically targetting high value users such as server admins.

If it was something such as a kernel exploit, I doubt it would be so confined, outside of WHT this exploit has basically no traction in real terms of being achknowledged aside from the usual "hey look theres something".

Keylogger is my best guess also.
 

Similar threads

Alpha1
Affiliate Spammers can exploit/abuse the proxy function too easily
Replies
0
Views
51
Alpha1
Alpha1
TheLaw
  • Question Question
CWP Hack Alert (not an XF exploit) that rewrites your index.php
Replies
0
Views
83
TheLaw
TheLaw
MR X
  • Question Question
XF 2.2 xenforo developer may have added an exploit file
2 3 4
Replies
66
Views
2K
MR X
MR X
Grover
  • Question Question
XF 2.3 vBulletin board imported in XenForo: what areas are important to test?
2
Replies
20
Views
243
Grover
Grover
cyanidee
  • Locked
Not a bug Security issue?
Replies
7
Views
325
Jeremy P
Jeremy P
Back
Top Bottom