Ebury is a SSH rootkit/backdoor trojan for Linux-based operating systems. It is installed by an attacker on the root-level compromised hosts by either replacing SSH related binaries (ssh, sshd, ssh-add, etc.) or a shared library used by SSH (libkeyutils).
On infected hosts, Ebury steals SSH login credentials (username+password) from incoming and outgoing SSH connections. The harvested credentials are sent to dropzone servers controlled by the attackers using specially crafted DNS-like packets. Additionally, SSH private keys stored on the compromised system for use with outgoing SSH connections are stolen by the attackers.
Ebury provides a backdoor the attackers can use to get a remote root shell on infected hosts even if passwords for user accounts are changed on a regular basis.
Symptoms and verifying the infection:
Since Ebury version 1.5 an additional shared library file 'libns2.so' is installed and the existing libkeyutils file is patched to link against this library instead of libc6. The malicious 'libns2.so' file can be located by running the following command, which should not return any results on clean systems.
# find /lib* -type f -name libns2.so
Ebury now uses Unix domain sockets instead of shared memory segments for interprocess communication. The malicious socket can be located using 'netstat' as follows. Again, this command should not return any results on clean systems.
# netstat -nap | grep "@/proc/udevd"
unix 2 [ ACC ] STREAM LISTENING 5597 2529/atd @/proc/udevd
A way to identify an infected server is to capture the network traffic generated by Ebury to ex-filtrate the stolen passwords:
- Connect to the server via ssh and start a tcpdump
- then connect to the server with another ssh session to generate and capture the Ebury crafted DNS-like packet.
Do not connect from the infected server to another machine, or the ssh credentials will be stolen.
# tcpdump -p -Annvvs 1500 -i any udp and dst port 53
Legitimate IP packets for DNS queries from a client to a DNS server usually look like this (tcpdump output format):
10:42:21.377649 IP [Client].20353 > [DNS server].53:
36027+ A? www.google.com. (32)
IP packets sent by Ebury infected systems to ex-filtrate the credential look like a DNS query for a hexadecimal string followed by an IP address:
21:31:24.500301 IP [Ebury infected system].42237 > [Ebury IP address].53:
4619+ A? 5742e5e76c1ab8c01b1defa5.[ssh session source IP address]. (56)
Previous verification technics (identifying ebury shared memory space, or ssh -G bugged return code) are not working anymore since the malware has been updated by the authors.
If the system is compromised you MUST re-install your entire operating system on the compromised machine.
All login credentials used with SSH connections to or from an infected machine as well as private SSH keys used with outgoing connections must be considered compromised and have to be changed as well.
You can request the server re-installation using this procedure:
Please refer to the following document from Carnegie Mellon University's CERT, specifically to section E titled "Recover from the Intrusion" for some steps on what one must do regarding reinstallation, backups and passwords:
For more details, please read the following articles:
- http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ (Outdated - the Ebury malware code has been updated).
- https://documentation.cpanel.net/pages/viewpage.action?pageId=1376644 Why can't I "clean" a hacked machine?