Ebury-root-kit ?

SUSE Product Topics SLED Configure-Administer
1

Hi All,
I’m using SLED 11 SP3 64 bit with Gnome only from my Laptop.

After system start & when GUI login screen appears, without login to the GUI, I’ve open Virtual console (Alt+Ctrl+F1).

Login as root, execute “ipcs -m” and output are below ::

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 65536 gdm 600 393216 2 dest
0x00000000 98305 gdm 600 393216 2 dest
0x00000000 131074 gdm 600 393216 2 dest
0x00000000 163843 gdm 600 393216 2 dest

Exit from root, and login as normal user on same console (without GUI login)
execute “ipcs -m” and out are below ::

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status

Logout from normal user.

Now login as normal user on GUI, and again open Virtual console and login as root.
execute “ipcs -m” and output are below ::

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 196608 naren_bish 600 393216 2 dest
0x00000000 229377 naren_bish 600 393216 2 dest
0x00000000 262146 naren_bish 600 393216 2 dest
0x00000000 294915 naren_bish 600 393216 2 dest
0x00000000 327684 naren_bish 600 393216 2 dest
0x00000000 360453 naren_bish 600 393216 2 dest
0x00000000 393222 naren_bish 600 393216 2 dest
0x00000000 425991 naren_bish 600 393216 2 dest
0x00000000 458760 naren_bish 600 393216 2 dest
0x00000000 491529 naren_bish 600 393216 2 dest
0x00000000 524298 naren_bish 600 393216 2 dest
0x00000000 557067 naren_bish 600 393216 2 dest
0x00000000 589836 naren_bish 600 393216 2 dest
0x00000000 622605 naren_bish 600 393216 2 dest
0x00000000 655374 naren_bish 600 393216 2 dest
0x00000000 688143 naren_bish 600 393216 2 dest
0x00000000 720912 naren_bish 600 393216 2 dest
0x00000000 753681 naren_bish 600 393216 2 dest
0x00000000 786450 naren_bish 600 393216 2 dest
0x00000000 819219 naren_bish 600 393216 2 dest

Logout from root from virtual console, login as ‘naren_bishayee’ on virtual console
Execute “ipcs -m” and out are below ::

------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 196608 naren_bish 600 393216 2 dest
0x00000000 229377 naren_bish 600 393216 2 dest
0x00000000 262146 naren_bish 600 393216 2 dest
0x00000000 294915 naren_bish 600 393216 2 dest
0x00000000 327684 naren_bish 600 393216 2 dest
0x00000000 360453 naren_bish 600 393216 2 dest
0x00000000 393222 naren_bish 600 393216 2 dest
0x00000000 425991 naren_bish 600 393216 2 dest
0x00000000 458760 naren_bish 600 393216 2 dest
0x00000000 491529 naren_bish 600 393216 2 dest
0x00000000 524298 naren_bish 600 393216 2 dest
0x00000000 557067 naren_bish 600 393216 2 dest
0x00000000 589836 naren_bish 600 393216 2 dest
0x00000000 622605 naren_bish 600 393216 2 dest
0x00000000 655374 naren_bish 600 393216 2 dest
0x00000000 688143 naren_bish 600 393216 2 dest
0x00000000 720912 naren_bish 600 393216 2 dest
0x00000000 753681 naren_bish 600 393216 2 dest
0x00000000 786450 naren_bish 600 393216 2 dest
0x00000000 819219 naren_bish 600 393216 2 dest

So, now, can any one tell me is that my system at-all effected by the “Ebury root-kit”. If so, how can i fix this without re installation.

One another important question :: Everyday I’ve used my Laptop to login on Company’s VPS (Linux Distro) using ssh.
If my system is at-all infected by Ebury, then is there any chances to spread on the VPS, some times i login as root user on VPS.

Please help me, it’s too important to know for me.

Thanks.

2

The information you’ve posted is insufficient for anyone to tell you whether the machine is affected or not. There are more things need checking than just the SHMs and the SHMs are apparently not always present. https://www.cert-bund.de/ebury-faq ("Please note that the SHMs are only created on the first event of data exfiltration – so immediately after a reboot of the system, the malicious SHMs will probably not show up in the output of ipcs -m. ")

Why do you think your laptop might be affected?

You don’t. If your machine has been compromised you re-install it and you use different passwords/keys. You also try and figure out how it got compromised in the first place.

If your laptop is compromised there is a chance your credentials for your Company’s VPS are compromised.