I was alerted that I had a virus in my Ubuntu 16.04 which I installed a few weeks ago. I verified the system with chkrootkit to see if it found anything and it did indeed find "LINUX/EBURY".
I searched Google for information about how I can eliminate this virus but found nothing. Does anyone know how I can remove it from my system?
The LINUX/EBURY rootkit is easy to spot.
What it does is create a symlink for libkeyutils.so and add the malware to their version of libkeyutils.so.
I found mine in /lib/x86_64-linux-gnu/ and it looks like this:
lrwxrwxrwx 1 root root 18 mrt 5 2015 /lib/x86_64-linux-gnu/libkeyutils.so.1 -> libkeyutils.so.1.5
-rw-r--r-- 1 root root 14256 okt 16 2014 /lib/x86_64-linux-gnu/libkeyutils.so.1.5
This looks good but if you have more than 2 lines there that you are in trouble. The problematic file would be something like libkeyutils.so.1.5.0 and have a size of roughly 32k.
The following files are affected by this rootkit:
audit_log_user_message
audit_log_acct_message
hosts_access
connect
__syslog_chk
write
syslog
popen
hosts_access
crypt
pam_start
And to finish it up. These are the SHA-1 hashes of the infection:
09c8af3be4327c83d4a7124a678bbc81e12a1de4 – Linux/Ebury – Version 1.3.2
2e571993e30742ee04500fbe4a40ee1b14fa64d7 – Linux/Ebury – Version 1.3.4
39ec9e03edb25f1c316822605fe4df7a7b1ad94a – Linux/Ebury – Version 1.3.2
3c5ec2ab2c34ab57cba69bb2dee70c980f26b1bf – Linux/Ebury – Version 1.3.2
471ee431030332dd636b8af24a428556ee72df37 – Linux/Ebury – Version 1.2.1
5d3ec6c11c6b5e241df1cc19aa16d50652d6fac0 – Linux/Ebury – Version 1.3.3
74aa801c89d07fa5a9692f8b41cb8dd07e77e407 – Linux/Ebury – Version 1.3.2
7adb38bf14e6bf0d5b24fa3f3c9abed78c061ad1 – Linux/Ebury – Version 1.3.2
9bb6a2157c6a3df16c8d2ad107f957153cba4236 – Linux/Ebury – Version 1.3.2
9e2af0910676ec2d92a1cad1ab89029bc036f599 – Linux/Ebury – Version 1.3.3
adfcd3e591330b8d84ab2ab1f7814d36e7b7e89f – Linux/Ebury – Version 1.3.2
bf1466936e3bd882b47210c12bf06cb63f7624c0 – Linux/Ebury – Version 1.3.2
d552cbadee27423772a37c59cb830703b757f35e – Linux/Ebury – Version 1.3.3
e14da493d70ea4dd43e772117a61f9dbcff2c41c – Linux/Ebury – Version 1.3.2
f1ada064941f77929c49c8d773cbad9c15eba322 – Linux/Ebury – Version 1.3.2
Based on this link from welivesecurity.com.
-IF- you are infected it is best to format and re-install and restore a backup that does -not- hold the infection. Also since ssh is involved delete your ssh credentials and make some new keys.
You can check if ssh is infected with
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
It's probably a false positive. Chkrootkit uses an outdated check for this malware, which has since evolved. It's probably nothing, but check with rkhunter instead, if you wish. If you are still concerned, then re-install your system from back-ups as it will likely have achieved root level permissions.
https://www.google.co.uk/search?q=linux+ebury&ie=UTF-8&oe=UTF-8&hl=en-gb&client=safari
I believe this system is more than anything else we been through.
Probably it is running a system on your discs, and drives, where bios has been replaced, making you nearly unable to install 100% to believe legit systems.
The actual thing to see if you are affected is to format a drive not unable for system to detect as internal. Making 16TB drives.
mkfs.ext4 /dev/sdh 17000000000
Only possible with e2fsprogs available from Ubuntu 16.04.
Then mount drive and validate two different commands. Of which one should make system freeze if above 250gb '1TB on zeroing' if your main disk is 250gb.
Sudo mkdir /mnt/data
Mount /dev/sdh /mnt/data
Sudo dd if=/dev/zero of=/mnt/data bs=128M status=progress
Sudo dd if=/dev/urandom of=/mnt/data bs=128M status=progress
Somehow Ebury uses compression on your computer. It also generates randomised error encounter specific on nearly all computer tasks without system shutdown. Utilizing slowdown or extended battery depletion or slowed down system.
