Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel.
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.
Impact
- An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system and gain root access instantly.
- This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.
It’s highly recommended to patch the system kernel in all Debian, Ubuntu, CentOS and RHEL distros to prevent system breakage.
Are you running a vulnerable version?
If you are not a customer subscribed under our Server Management plan and would like to have this vulnerability patched please purchase a 1x Hour of Support plan.
Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!
We have been getting number of attack reports from clients with Wordpress installs and further investigating we found a global attacks on wordpress.
Right now there is a very severe and global attack on all Wordpress sites on the Internet and almost all hosting providers are affected. The attack is a brute-force attack which is global and highly distributed, This attack is well organized and again very, very distributed; we have seen high number of spoofed IP addresses involved in this attack. As the IP’s are spoofed, blocking the IP’s does not help much.
If you need any asisstance in blocking this attacks please submit a 1x Hour of Support plan and we will help you right after!
Don’t hesitate to contact us if you have any questions or need further assistance.
There is a new SSHD rookit rolling around since few days ago, it looks it’s affecting mostly RHEL/CentOS servers.
Servers with cPanel, Plesk, VirtualMin and DirectAdmin are affected well.
According to a Security Audition in one of the hacked servers we found the Rootkit deposits files in /lib64 and /lib, main file name is libkeyutils.so.1.9.
It changes symlinks of /lib64/libkeyutils.so.1 to point to the mentioned lib.
We believe this lib is capable of stealing passwords, SSH keys and /etc/shadow files from the server. It’s also used as a backdoor to
gain access to the server through a different port, the rootkit will also modify all the authentication mechanisms of the server preventing any login or command history to be logged through this backdoor.
The intruder has full root access which means there is a exploit among with this rootkit capable of root privilege escalation.
You can see if your server is infected by running the following script:
# wget -qq -O - http://www.serverbuddies.com/files/libkeyutilscheck.sh | sh
We highly encourage our customers to submit a 1x Hour of Support if you see the script is showing your server as compromised.
Don’t hesitate to contact our Support Team for any inquiry you may have!
Preparing Ubuntu System before Webmin Install.
You can install webmin for your server web interface to configure apache2,mysql,FTp servers and many more.
Preparing your system
First you need to install the following packages
sudo aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
Now download the latest webmin using the following command or from
http://www.webmin.com/download.html
Cloudmin Installer Script
Supported Linux distributions are CentOS 5, Redhat Enterprise 5, Debian 4.0 and Ubuntu 8.04.
The CentOS or Redhat installer can be downloaded from:
http://cloudmin.virtualmin.com/gpl/scripts/cloudmin-gpl-redhat-install.sh
Once you have it on the Linux system you want to run Cloudmin on, execute it with the commands
chmod +x cloudmin-gpl-redhat-install.sh
./cloudmin-gpl-redhat-install.sh
The install script should download and setup a Xen-capable kernel.