Slashdot Mirror

← Back to Stories (view on slashdot.org)

New In-Memory Rootkit Discovered By German Hoster

Posted by Soulskill on from the malware-arms-race dept.

New submitter einar2 writes "German hoster Hetzner informed customers that login data for their admin surface might have been compromised (Google translation of German original). At the end of last week, a backdoor in a monitoring server was found. Closer examination led to the discovery of a rootkit residing in memory. The rootkit does not touch files on storage but patches running processes in memory. Malicious code is directly injected into running processes. According to Hetzner the attack is surprisingly sophisticated."

5 of 91 comments (clear)

  1. Do they tell us? by theduk3 · · Score: 5, Informative

    I have a root server from Hetzner and got the disclosure mail, which was very detailed.
    Customer data was compromised, including the hashed/salted passwords and the last 3 digits of credit card numbers (which should not really be an issue).

    This is not the first major breach at Hetzner, in 2011 managed server account passwords were compromised as well.
    Back then they advised customers to reset the passwords for all accounts for the admin panel.

    The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches?
    I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.

  2. Re:Kinda cool that they found it by centipedes.in.my.vag · · Score: 5, Informative

    You can walk-though and dump a running process' memory to file to analyze it later. Just reference the pid+offset and read. This style of patching a process (CREATE_SUSPENDED flag / Edit / ResumeThread) rather than editing the file itself is really popular when trying to defeat a CRC check, so methods to analyze it shouldn't surprise anyone.

    --
    Only on /. can I lose karma with 2x "5, Funny" posts.
  3. Re:EvaPharmacy has been doing this for years... by Anonymous Coward · · Score: 3, Informative

    I believe they mean with chattr, not with permissions:


    $ sudo -s
    # touch file
    # chmod 000 file
    # ls -l file
    ---------- 1 root root 0 Jun 7 15:28 file
    # cat > file
    asdf
    # cat file
    asdf
    # chattr +i file
    # cat > file
    bash: file: Permission denied

  4. Re:yank out the sticks by centipedes.in.my.vag · · Score: 4, Informative

    No, you're misreading the article.

    "The rootkit does not touch files on storage but patches running processes in memory."

    The rootkit isn't in RAM only. The way that it attacks the daemon processes is done entirely in RAM.

    --
    Only on /. can I lose karma with 2x "5, Funny" posts.
  5. English version of the article by datalife · · Score: 5, Informative

    There is an english version of the article, so there is no need to Googletranslate the thing

    http://www.h-online.com/news/item/Hetzner-web-hosting-service-hacked-customer-data-copied-1884574.html

    --
    There are only 10 types of people in the world: Those who understand binary and those who don't.