[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.19.5″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]Die folgende Yara Signatur kann f\u00fcr die Erkennung der Ebury SSH Backdoor verwendet werden.<\/p>\n
rule Ebury_SSHD_Malware_Linux {\n\tmeta:\n\t\tdescription = \"Ebury Malware\"\n\t\tauthor = \"Florian Roth\"\n\t\thash = \"4a332ea231df95ba813a5914660979a2\"\n\tstrings:\n\t\t$s0 = \"keyctl_set_reqkey_keyring\" fullword\n\t\t$s1 = \"recursive_session_key_scan\" fullword\n\t\t$s2 = \"keyctl_session_to_parent\" fullword\n\t\t$s3 = \"keyctl_assume_authority\" fullword\n\t\t$s4 = \"keyctl_get_security_alloc\" fullword\n\t\t$s5 = \"keyctl_instantiate_iov\" fullword\n\t\t$s6 = \"keyutils_version_string\" fullword\n\t\t$s7 = \"keyctl_join_session_keyring\" fullword\n\t\t$a1 = \"%[^;];%d;%d;%x;\"\n\tcondition:\n\t\tall of them\n}\n<\/pre>\nWer kein Yara verwenden m\u00f6chte, kann auf diesen Workaround zur\u00fcckgreifen.<\/p>\n
find \/lib -type f -size -50k -exec strings -f {} \\; | grep '%\\[^;\\];%d;%d;%x;'\n<\/pre>\nWeitere Informationen zur Erkennung von Ebury CERT Bund<\/a>.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"Die folgende Yara Signatur kann f\u00fcr die Erkennung der Ebury SSH Backdoor verwendet werden. rule Ebury_SSHD_Malware_Linux { meta: description = “Ebury Malware” author = “Florian Roth” hash = “4a332ea231df95ba813a5914660979a2” strings: $s0 = “keyctl_set_reqkey_keyring” fullword $s1 = “recursive_session_key_scan” fullword $s2 = “keyctl_session_to_parent” fullword $s3 = “keyctl_assume_authority” fullword $s4 = “keyctl_get_security_alloc” fullword $s5 = “keyctl_instantiate_iov” fullword $s6 = “keyutils_version_string” fullword $s7 = “keyctl_join_session_keyring” fullword $a1 = “%[^;];%d;%d;%x;” condition: all of them } Wer kein Yara verwenden m\u00f6chte, kann auf diesen Workaround zur\u00fcckgreifen. find \/lib -type f -size -50k -exec strings -f {} \\; | grep ‘%\\[^;\\];%d;%d;%x;’ Weitere Informationen zur Erkennung von Ebury CERT Bund.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"Die folgende Yara Signatur kann f\u00fcr die Erkennung der Ebury SSH Backdoor verwendet werden.\r\n[cc lang=\"perl\"]\r\nrule Ebury_SSHD_Malware_Linux {\r\nmeta:\r\ndescription = \"Ebury Malware\"\r\nauthor = \"Florian Roth\"\r\nhash = \"4a332ea231df95ba813a5914660979a2\"\r\nstrings:\r\n$s0 = \"keyctl_set_reqkey_keyring\" fullword\r\n$s1 = \"recursive_session_key_scan\" fullword\r\n$s2 = \"keyctl_session_to_parent\" fullword\r\n$s3 = \"keyctl_assume_authority\" fullword\r\n$s4 = \"keyctl_get_security_alloc\" fullword\r\n$s5 = \"keyctl_instantiate_iov\" fullword\r\n$s6 = \"keyutils_version_string\" fullword\r\n$s7 = \"keyctl_join_session_keyring\" fullword\r\n$a1 = \"%[^;];%d;%d;%x;\"\r\ncondition:\r\nall of them\r\n}\r\n[\/cc]\r\nWer kein Yara verwenden m\u00f6chte, kann auf diesen Workaround zur\u00fcckgreifen.\r\n[cc lang=\"bash\"]\r\nfind \/lib -type f -size -50k -exec strings -f {} ; | grep '%[^;];%d;%d;%x;'\r\n[\/cc]\r\nWeitere Informationen zur Erkennung von Ebury CERT Bund<\/a>.","_et_gb_content_width":"","footnotes":""},"categories":[327,255,264,269,47],"tags":[431,133,432,433],"class_list":["post-7040","post","type-post","status-publish","format-standard","hentry","category-alert","category-command-line","category-tool","category-tutorial","category-yara","tag-backdoor","tag-detect","tag-ebury","tag-ssh"],"yoast_head":"\nHowto detect Ebury SSH Backdoor - Nextron Systems<\/title>\n<meta name=\"description\" content=\"Anleitung daf\u00fcr, wir der Ebury SSH Backdoor erkannt werden kann.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Howto detect Ebury SSH Backdoor\",\"datePublished\":\"2014-02-25T23:07:08+00:00\",\"dateModified\":\"2023-02-02T16:24:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/\"},\"wordCount\":167,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"backdoor\",\"detect\",\"ebury\",\"ssh\"],\"articleSection\":[\"Alert\",\"Command Line\",\"Tool\",\"Tutorial\",\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/\",\"name\":\"Howto detect Ebury SSH Backdoor - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2014-02-25T23:07:08+00:00\",\"dateModified\":\"2023-02-02T16:24:49+00:00\",\"description\":\"Anleitung daf\u00fcr, wir der Ebury SSH Backdoor erkannt werden kann.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Howto detect Ebury SSH Backdoor - Nextron Systems","description":"Anleitung daf\u00fcr, wir der Ebury SSH Backdoor erkannt werden kann.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Howto detect Ebury SSH Backdoor","datePublished":"2014-02-25T23:07:08+00:00","dateModified":"2023-02-02T16:24:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/"},"wordCount":167,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["backdoor","detect","ebury","ssh"],"articleSection":["Alert","Command Line","Tool","Tutorial","YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/","url":"https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/","name":"Howto detect Ebury SSH Backdoor - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2014-02-25T23:07:08+00:00","dateModified":"2023-02-02T16:24:49+00:00","description":"Anleitung daf\u00fcr, wir der Ebury SSH Backdoor erkannt werden kann.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2014\/02\/25\/howto-detect-ebury-ssh-backdoor\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7040","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=7040"}],"version-history":[{"count":4,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7040\/revisions"}],"predecessor-version":[{"id":15939,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7040\/revisions\/15939"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=7040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=7040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=7040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}