[Dimme]

Nej, det har förekommit debian samt redhat installationer som också har blivit infekterade, med eller utan cpanel.

Cpanels support har dock också råkat infekteras. Och eftersom "trojanen" skickar ssh nycklar och lösenord till servrar som man loggar in på från en infekterad maskin, så är det en smart idé att kolla upp dessa servrar också.

Citat:

Ok.

We all have been so worried on the sshd aspect to this.
But we forgot to take a look at 'ssh'.. this little lonely binary used to initiate ssh connections with other servers.

Well...

You go and login to another server using an infected machine (which you may not know is infected).

Guess what happens, our well known friend here:

Quote:
5297 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.156.139.154")}, 16) = 0
shows up again, sending your other servers login details out.

So really all you need is 1 compromised server, to have multiple.. if you use your server to login to other servers.

They are in memory too.