# Howto determine if your system is infected by linux/ebury

## sirlark

I've just read through  An In-Depth Analysis of Linux/Ebury, and checked my system for infection. The article list four ways to determine infection, but they are not all applicable to Gentoo 

 "$ ssh -G" prints a usage message

 shared memory blocks are allocated by user root, process sshd, with permission 666 (or 777)  

 network traffic being generated on ssh logins into your system

 specific SHA1 hashes for known infected /lib64/libkeyutils.so

In gentoo, only points 2 and 3 apply. Many distros apparently generate a usage message in this case. On gentoo, -G is in fact a valid option. The hashes aren't helpful to gentoo users, because there are so many things that influence the compilation of a package (CFLAGS, USE etc) that hashes will always be different, even if the library file might be infected. The dead sure ways to check are 2 and 3.

First, as root, run

```
$ ipcs -m --human
```

and look for any line owned by root, with permissions 666 or more open that are larger than 3M. These blocks needn't belong to sshd, which can be checked as follows.

Note the shmid(s) of the suspicious block(s)

Run "$ ipcs -m -p" and find the matching shmid(s), note the pids of the processes

For each pid from a suspicious block, run "$ ps aux | grep <PID>" to see which process it belongs to.

If there are suspicious blocks, you are infected. You should replace sys-apps/keyutils at a minimum, but ideally reinstall your entire system. But, before you do, note that any system you have ssh'd into could have been infected too. This includes systems using private keys password protected or not.

Finally, to make 100% sure, install net-analyzer/tcpdump, and run

```
$ tcpdump -i <your internet interface name>
```

In another terminal ssh into your own system and look for packets being sent at the same time as the ssh logins, specifically when the passwords are entered.

Hope this helps

----------

## PaulBredbury

 *sirlark wrote:*   

> "$ ssh -G" prints a usage message

 

So does mine (openssh	6.5p1, not on Gentoo), and I don't even have a *keyut* library file installed - the article is scaremongering, I reckon.

----------

## Fitzcarraldo

 * Marc-Etienne M.Léveillé wrote:*   

> The command ssh -G has a different behaviour on a system with Linux/Ebury. A clean server will print
> 
> ssh: illegal option -- G
> 
> to stderr but an infected server will only print the typical “usage” message.

 

"an infected server."

A clean system will also print a usage message in any case:

```
$ ssh -G

unknown option -- G

usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]

           [-D [bind_address:]port] [-E log_file] [-e escape_char]

           [-F configfile] [-I pkcs11] [-i identity_file]

           [-L [bind_address:]port:host:hostport] [-Q protocol_feature]

           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]

           [-R [bind_address:]port:host:hostport] [-S ctl_path]

           [-W host:port] [-w local_tun[:remote_tun]]

           [user@]hostname [command]
```

----------

## sirlark

@FitzCarraldo: Thanks. I don't get illegal option though. I get the following

```
$ ssh -G

option requires an argument -- G

usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]

           [-D [bind_address:]port] [-E log_file] [-e escape_char]

           [-F configfile] [-I pkcs11] [-i identity_file]

           [-G engineconfigfile]

           [-L [bind_address:]port:host:hostport] [-Q protocol_feature]

           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]

           [-R [bind_address:]port:host:hostport] [-S ctl_path]

           [-W host:port] [-w local_tun[:remote_tun]]

           [user@]hostname [command]

```

@PaulBredbury: Yup, probably fear mongering, but I found it very difficult to get any reliable info on this.

I think maybe a GLSA message or similar stating how to test for infection on gentoo would go a long way to clearing up the confusion.  The hashes can't be used because everything is compiled on system with different USE flags. Clearly the usage message test (which was the only infection indicator on my system) isn't reliable on Gentoo (or other distros in some cases). It's also probably the weakest indicator, as it could be easily circumvented. The network sniffing and shared memory allocations are probably the most reliable, but installing snort and getting it to work is more effort than most will go to I'm guessing.

Should I file a bug, or maybe contact the glsa team directly.

----------

## Gusar

If you want to know whether you're infected, look at the shared memory segments, in particular check for a large segment (over 3MB) owned by root and with 666 permissions. Note the permissions, that's the giveaway. It's not necessary that the process which created the segment will point to sshd, on our CentOS6 machine that got infected, the listed PID didn't belong to any running process. We then used tcpdump to observe what's going on, and found out that every time someone connected via ssh, a specially crafted DNS packet was being sent that contained username, password and ssh port. Reinstalling libkeyutils and openssh didn't help. What did was ditching openssh in favor of dropbear.

----------

## sirlark

Thanks, I'm going to rename this thread to something more useful, and easy to search for so others can get the information. I'll cut 'n paste your comments into the top of the thread too.

----------

