Daniel Roberson - eburysshtrojan-gunderson2011

Daniel Roberson

eburysshtrojan-gunderson2011

2025-03-03

Ebury, a new SSH trojan

by Steinar H. Gunderson

November 15, 2011

https://plog.sesse.net/blog/tech/2011-11-15-21-44_ebury_a_new_ssh_trojan.html

Notes
SSH
trojan
Ebury
replaces /usr/sbin/sshd, /usr/bin/ssh, /usr/bin/ssh-add with trojanized binaries
.list files added to fool debsums
Linux malware
libwrap
libselinux
hosts.deny
credential harvester
ipcs command
DNS
DNS exfiltration
backdoors for logging in without passwords
SSH brute forcing
password lists
auth.log
shared memory
multiarchitecture malware

Links to this note

Notes

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit