tools like ClamAV, rkhunter or chkrootkit are not able to detect it.
the only way to check if your server was compromised, checking md5sums of the SSH related .deb or .rpm files does again not work, is to check your system for shared memory segments (SHM)....Ebury uses a very typical kind of SHMs with 666 permissions and uncommon sizes of +3MB. there are plenty of legit applications which also use SHMs, but they only rarely use full permissions and almost never have huge sizes like Ebury does.
to check for SHMs run:
Code: Select all
ipcs -m
an output looks like (taken from one of my systems):
Code: Select all
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x010400f9 2523136 root 600 1200712 5
but wait...on one of my other systems there is one with 666 permissions...
Code: Select all
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x4c010644 589824 root 666 364560 1
0x01010030 1572865 root 600 1200712 5
Code: Select all
lsof | egrep "<shmid>|COMMAND"
in my case:
Code: Select all
lsof | egrep "589824|COMMAND"
Code: Select all
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
proftpd 11545 nobody DEL REG 0,4 589824 /SYSV4c010644