Scenario
One of our clients received an abuse alert from the hosting provider regarding sustained, excessive CPU usage on a server within our infrastructure. The usage patterns were consistent with post-exploitation activity, specifically resource abuse for cryptomining and lateral network scanning. The provider indicated the server was compromised via an unpatched cPanel/WHM installation (CVE-2026-41940), a critical vulnerability that bypasses all authentication, including Two-Factor Authentication (2FA).
The server was running CentOS 6, a legacy operating system. Upon investigating the incident, we confirmed the presence of an Ebury rootkit. This was a recurring issue, as the client had faced this exact compromise on the same server previously.
Technical Analysis: Ebury Rootkit and Legacy System Exploitation
The Ebury rootkit is specialized malware designed to compromise the Secure Shell (SSH) service on Linux systems. It operates as an OpenSSH backdoor and credential stealer. When a legitimate user logs in, Ebury intercepts the authentication process, harvesting credentials and providing the attackers with persistent, hidden backdoor access to the server.
However, the critical failure point in this incident was the underlying environment. CentOS 6 has reached its official End of Life (EOL), meaning it no longer receives security updates, patch management, or bug fixes from the vendor. Running an EOL operating system creates a severely degraded security posture. However, the critical failure point in this incident was the underlying environment. CentOS 6 has reached its official End of Life (EOL), meaning it no longer receives security updates, patch management, or bug fixes from the vendor. Running an EOL operating system creates a severely degraded security posture. The outdated CentOS 6 environment offers no modern kernel protections or updated security modules to prevent the attackers from dropping their payloads, establishing persistence, and executing malicious code once they are inside.
IOC (Indicators of Compromise)
To identify the extent of the breach, we analyzed system logs and directories for specific Indicators of Compromise (IOCs):
Malware Dropper Execution:
A review of the root user’s bash history revealed the execution of a malicious script. This script acted as a “dropper,” repeatedly downloading a primary payload named nuclear.x86 from an external, unauthorized IP address.
Shared Library Hijacking:
We identified a compromised system library located within the /lib64/tls/ directory. Shared Library Hijacking is an attack technique where malicious actors replace or intercept legitimate dynamic libraries used by the operating system. By doing this, they force standard administrative processes to load malicious code into memory, allowing the malware to execute silently alongside standard system operations without triggering basic alarms.
Command and Control (C2) Traffic:
The server was actively communicating with several external IP addresses known for malicious activity, facilitating remote control and payload delivery by the attackers.
Remediation and Recovery Strategy
Because the server had been compromised previously, cleaning the system required addressing both the active infection and the compromised authentication channels. The immediate response involved the following actions:
Malicious Library Removal:
We identified and permanently deleted the compromised system library from /lib64/tls/ to break the Shared Library Hijacking chain.
Network Level Blocking:
We implemented strict firewall rules using iptables to permanently block outbound and inbound traffic to the identified malicious external IP addresses.
Service Restoration:
All core operational services, including SSH, Web, and Mail daemons, were forcefully restarted. This ensures that any “tainted memory”, RAM that currently holds the injected, executing payload of the rootkit, is flushed, forcing the system to load clean instances of the services.
Mandatory Credential Rotation:
Because Ebury explicitly steals credentials, we mandated the immediate rotation and invalidation of all authentication material.
Conclusion
The recurring nature of this compromise highlights the severe operational risk of maintaining legacy infrastructure. CentOS 6 is saturated with publicly documented, unpatchable vulnerabilities that attackers can exploit automatically.
Attempting to clean a server running an End of Life operating system only provides temporary relief; the architectural flaws remain exploitable, guaranteeing future breaches. Due to this incident occurring twice, and recognizing the impossibility of securing an obsolete kernel, the client finally agreed to decommission the CentOS 6 environment and upgrade to a modern, fully supported operating system. Upgrading is the only definitive remediation to close this security gap permanently.