大神们，怎么清理Ebury Rootkit木马？Hostigation说我中标了！

asmon

Hostigation received third party information that your VPS may be compromised with the Ebury Trojan. The Ebury trojan steals SSH login credentials from incoming and outgoing SSH connections and forwards them to a dropzone server in specially crafted DNS packets. The trojan is normally found in a binary directory on Unix-based systems in one of the following locations:

/usr/bin/ssh
/usr/bin/sshd
/usr/bin/ssh-add

According to the data we received, your VPS was sending harvested SSH credentials to a dropzone server. They only guaranteed way to remove this trojan is to reinstall your VPS. If your VPS is OpenVZ, we can provide you with a small amount of backup space so you may retrieve critical files once your VPS is reinstalled. Due to the nature of this trojan, any infected KVM VPS will have to be reinstalled completely from scratch.

Ruclinux

rkhunter 这个行不行？

asmon

ipcs -m


查出3个不明东西！狗日！都超过3MB了！

asmon

用OpenVZ，都查一下吧：ipcs -m

cgs3238

ipcs -m 是查共享内存的   不是查进程的

asmon

cgs3238 发表于 2014-3-20 12:26
ipcs -m 是查共享内存的   不是查进程的

有没有处理办法？

yohu

听说超过3M和666权限的概率高一些。

yohu

网上看到的解决办法，最好重装系统，不重装系统的话就重装libkeyutils。

1. Re-install libkeyutils (using rpm --replacepkg option) and reboot the server.
   
2.    Change the password of all SSH user account.

复制代码

dzbz

bolatu