Malware family: Ebury
... / Malware family: Ebury
Next question >
BMPCreated with Sketch.BMPZIPCreated with Sketch.ZIPXLSCreated with Sketch.XLSTXTCreated with Sketch.TXTPPTCreated with Sketch.PPTPNGCreated with Sketch.PNGPDFCreated with Sketch.PDFJPGCreated with Sketch.JPGGIFCreated with Sketch.GIFDOCCreated with Sketch.DOC Error Created with Sketch.
Question

Malware family: Ebury

CS
by
Carlos Sidnei
Created on 2025-06-30 20:08:41 in Security

I received an email from the abuse team informing me that two of my servers have malware from the Ebury family.

The email does not provide any further details. Is it possible that this is a false positive?

I create a script that uses several techniques to try to identify ebury on the server, but nothing was found.

Shared Host with almalinux and directadmin.


The script I used checks:

🧠 Memory (/proc/$pid/maps) of sshd processes — identifying maliciously loaded libraries;

🗃️ Strings and symbols in suspicious libraries (libssl, libcrypto, libkeyutils);

🔍 Validation of specific strings such as Xcat, credential harvest, malformed SSH-2.0-* in logs and binaries;

🔐 sshd integrity check via hash + RPM + .debug section;

📊 Scoring system to validate real infection, reducing false positives. 

log:

[2025-06-30 14:18:32] [INFO] Starting Ebury detection scan
[2025-06-30 14:18:32] [INFO] SSH daemon path: /usr/sbin/sshd
[2025-06-30 14:18:32] [INFO] SSH daemon size: 890640 bytes
[2025-06-30 14:18:32] [INFO] SSH daemon SHA256: 50274e0a25bfa3a28c839ce31a1661522d6bd78c1561190f00e3f140be714e06
[2025-06-30 14:18:32] [INFO] SSH version: OpenSSH_8.0p1
[2025-06-30 14:18:32] [INFO] === SSH BINARY DETAILED ANALYSIS ===
[2025-06-30 14:18:32] [INFO] File created: Fri Mar 14 22:13:17 -03 2025
[2025-06-30 14:18:32] [INFO] File modified: Wed Feb 19 17:59:40 -03 2025
[2025-06-30 14:18:32] [INFO] File accessed: Sun Jun 29 20:00:33 -03 2025
[2025-06-30 14:18:32] [INFO] Package: openssh-server-xxxxxx
[2025-06-30 14:18:32] [INFO] Package version: 8.0p1-25.el8_10.alma.1
[2025-06-30 14:18:32] [INFO] Package install date: Fri 14 Mar 2025 10:13:17 PM -03
[2025-06-30 14:18:32] [INFO] File type: /usr/sbin/sshd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=xxxxxxxxxxxxxxxxxxxxxx, stripped
[2025-06-30 14:18:32] [INFO] Suspicious sections: no suspicious sections
[2025-06-30 14:18:32] [INFO] Linked libraries: linux-vdso.so.1 /lib64/ld-linux-x86-64.so.2 
[2025-06-30 14:18:32] [INFO] SSH version string: OpenSSH_8.0p1
[2025-06-30 14:18:32] [INFO] SSH hash verification: OpenSSH_8.0p1 AlmaLinux 8 (CLEAN)
[2025-06-30 14:18:32] [INFO] Days since SSH binary modification: 130
[2025-06-30 14:18:32] [INFO] No Ebury strings found in SSH binary
[2025-06-30 14:18:35] [INFO] Active SSH processes found
[2025-06-30 14:18:35] [INFO] SSH Process: root     2070771  0.0  0.0  76732  7384 ?        Ss   Mar14   0:00 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,xxxxxxxxxxx
[2025-06-30 14:18:35] [INFO] SSH Process: root     2580784  0.0  0.0 126560  9052 ?        Ss   10:35   0:00 sshd: root [priv]
[2025-06-30 14:18:35] [INFO] SSH Process: root     2580798  0.0  0.0 126560  5352 ?        S    10:35   0:00 sshd: root@pts/0
[2025-06-30 14:18:35] [INFO] SSH Process: root     2648426  0.0  0.0 126560  9012 ?        Ss   11:06   0:00 sshd: root [priv]
[2025-06-30 14:18:35] [INFO] SSH Process: root     2648449  0.0  0.0 126684  5892 ?        S    11:06   0:00 sshd: root@notty
[2025-06-30 14:18:35] [INFO] SSH listening ports:
[2025-06-30 14:18:35] [INFO] SSH Port: LISTEN 0      128          0.0.0.0:19111      0.0.0.0:*    users:(("sshd",pid=2070771,fd=3))
[2025-06-30 14:18:35] [INFO] SSH Port: LISTEN 0      128             [::]:19111         [::]:*    users:(("sshd",pid=2070771,fd=4))
[2025-06-30 14:18:35] [INFO] SSH Port: LISTEN 0      2048               *:2222             *:*    users:(("directadmin",pid=1086918,fd=8))
[2025-06-30 14:18:35] [INFO] Port 2222 used by DirectAdmin (legitimate)
[2025-06-30 16:31:45] [ALERT] Malicious library in SSH process: PID 2070771
[2025-06-30 16:31:45] [ALERT] Malicious library in SSH process: PID 2580784
[2025-06-30 16:31:45] [ALERT] Malicious library in SSH process: PID 2580798
[2025-06-30 16:31:45] [ALERT] Malicious library in SSH process: PID 2648426
[2025-06-30 16:31:45] [ALERT] Malicious library in SSH process: PID 2648449
[2025-06-30 16:31:45] [INFO] Active SSH connections found
[2025-06-30 16:31:45] [INFO] No infected libraries detected
[2025-06-30 16:31:45] [INFO] SSH daemon last modified: Wed Feb 19 17:59:40 -03 2025
[2025-06-30 16:31:45] [INFO] Timeline analysis completed
[2025-06-30 16:31:45] [INFO] No orphaned SSH [accepted] processes found
[2025-06-30 16:31:45] [INFO] No suspicious large SHM segments found
[2025-06-30 16:31:45] [ALERT] Suspicious abstract sockets: 1
[2025-06-30 16:31:46] [ALERT] Abstract socket: exim      3204912             mail    3u  unix 0xffff9183b6245580      0t0 2305675310 @/var/spool/exim/exim_daemon_notify type=DGRAM
[2025-06-30 16:31:46] [INFO] SSH binary files integrity verified
[2025-06-30 16:31:46] [INFO] SSH config files modified (normal for administration)
[2025-06-30 16:31:46] [INFO] Config change (legitimate): S.5....T.  c /etc/ssh/sshd_config

Hello,

An abusive behaviour (Malware) originating from your dedicated server nsXXXXXX[.]ip-XXX-XXX-XXX[.]net has been reported to or noticed by our Abuse Team.

Technical details showing the aforementioned problem follow :

-- start of the technical details --

Category: Malware

---- about ----

XXX[.]XXX[.]XXX[.]XXX (on SSH port)

---- Description ----

Malware family: Ebury


-- end of the technical details --

Your should investigate and fix this problem, as it constitutes a violation to our terms of service.

Please answer to this e-mail indicating which measures you've taken to stop the abusive behaviour.

Cordially,

The OVHcloud Trust & Safety team.
Topics: Engineering Service integration Collaboration and productivity Knowledge sharing and feedback Performance optimisation
Upvotes (0)
16016 Views
4 Replies ( Latest reply on 2025-07-04 06:29:41 by
Carlos Sidnei
)

Interesting article about Ebury: https://www.bleepingcomputer.com/news/security/ebury-botnet-malware-infected-400-000-linux-servers-since-2009/

See this document from ESET, especially on page 43: https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf

search for IOC's.

See also on page 44 whether your SSH banner contains suspect information, meaning that your server is infected with a trojanized sshd.

 
Helpful (1)
CS

Thanks for the guidance.

I created a second script using the information in the pdf (pages 43 and 44) ​​and combined it with this as well: https://github.com/eset/malware-ioc/blob/master/windigo/README.adoc
I ran it on a clean server and a supposedly infected server (according to the OVH abuse team)

[2025-07-01 08:11:05] [INFO] Starting focused Ebury YARA scan
[2025-07-01 08:11:05] [INFO] Starting YARA installation process
[2025-07-01 08:11:05] [INFO] YARA already available: 4.2.3
[2025-07-01 08:11:05] [INFO] Downloaded YARA rule: ebury.yar
[2025-07-01 08:11:05] [INFO] Downloaded YARA rule: helimod.yar
[2025-07-01 08:11:05] [INFO] Created combined YARA rules file
[2025-07-01 08:11:05] [INFO] Using official ESET YARA rules
[2025-07-01 08:11:05] [INFO] Starting YARA scan with 202 rules
[2025-07-01 08:11:05] [INFO] Scanning: /usr/sbin/sshd
[2025-07-01 08:11:05] [INFO] No matches in /usr/sbin/sshd
[2025-07-01 08:11:05] [INFO] Scanning: /lib64/libkeyutils.so
[2025-07-01 08:11:05] [INFO] No matches in /lib64/libkeyutils.so
[2025-07-01 08:11:05] [INFO] Scanning: /lib64/libkeyutils.so.1
[2025-07-01 08:11:05] [INFO] No matches in /lib64/libkeyutils.so.1
[2025-07-01 08:11:05] [INFO] Scanning: /lib64/libkeyutils.so.1.6
[2025-07-01 08:11:05] [INFO] No matches in /lib64/libkeyutils.so.1.6
[2025-07-01 08:11:05] [INFO] Scanning: /usr/lib64/libkeyutils.so
[2025-07-01 08:11:05] [INFO] No matches in /usr/lib64/libkeyutils.so
[2025-07-01 08:11:05] [INFO] Scanning: /usr/lib64/libkeyutils.so.1
[2025-07-01 08:11:05] [INFO] No matches in /usr/lib64/libkeyutils.so.1
[2025-07-01 08:11:05] [INFO] Scanning: /usr/lib64/libkeyutils.so.1.6
[2025-07-01 08:11:05] [INFO] No matches in /usr/lib64/libkeyutils.so.1.6
[2025-07-01 08:11:05] [INFO] Target not found: /lib/tls/
[2025-07-01 08:11:05] [INFO] Target not found: /usr/lib/tls/
[2025-07-01 08:11:05] [INFO] Scanning: /lib64/tls/
[2025-07-01 08:11:05] [INFO] Directory /lib64/tls/ contains 0 files
[2025-07-01 08:11:05] [INFO] No matches in /lib64/tls/
[2025-07-01 08:11:05] [INFO] Scanning: /usr/lib64/tls/
[2025-07-01 08:11:05] [INFO] Directory /usr/lib64/tls/ contains 0 files
[2025-07-01 08:11:05] [INFO] No matches in /usr/lib64/tls/
[2025-07-01 08:11:05] [INFO] Scanning: /tmp/
[2025-07-01 08:11:05] [INFO] Directory /tmp/ contains 15942 files
[2025-07-01 08:11:05] [INFO] No matches in /tmp/
[2025-07-01 08:11:05] [INFO] Scanning: /var/tmp/
[2025-07-01 08:11:05] [INFO] Directory /var/tmp/ contains 33 files
[2025-07-01 08:11:06] [INFO] No matches in /var/tmp/
[2025-07-01 08:11:06] [INFO] Scanning: /dev/shm/
[2025-07-01 08:11:06] [INFO] Directory /dev/shm/ contains 414 files
[2025-07-01 08:11:06] [INFO] No matches in /dev/shm/
[2025-07-01 08:11:06] [INFO] YARA scan completed: 7 files + 5 directories in 1s
[2025-07-01 08:11:06] [INFO] YARA scan completed - no matches
[2025-07-01 08:11:09] [INFO] IOC check completed - no matches
[2025-07-01 08:11:09] [INFO] SSH daemon verified clean: xxxxxxxxxxxxxxxxxxxxxxxx
[2025-07-01 08:11:09] [INFO] Report generated: /root/Malware_Ebury/ebury_yara_report_20250701_081109.txt
[2025-07-01 08:11:09] [INFO] Ebury scan completed - system clean

I'm using almalinux 8 and Directadmin (the folder errors "target not found" are because I created a script capable of scanning in almalinux and ubuntu).

My server does not allow root access with a password (only with an access key)
I do not use port 22

What is the chance that the notification received by OVH is a false positive?

 
Helpful (0)

Please submit a ticket explaining all this. I am interested to know OVH's answer...
Helpful (0)
CS

I answered the email from OVH yesterday and today again

But I haven't received an answer yet
Helpful (0)
CS

I had this notification on two servers, I got a response from one of them today

We have received a report from the Canadian authority indicating the potential presence of the Ebury botnet in your service.  

As per your response, no further action is required on your part.  

Accordingly, we consider this matter closed from our side.  

Best regards,  
Trust and Safety Team
Helpful (0)

Join discussion