Remove Ebury SSH rootkits

Ebury SSH rootkits

Vulnerable computer systems and applications:

Linux, Unix.


Ebury SSH rootkits is a backdoor for intercepting SSH data (passwords, private SSH keys). It’s installed in root level on infected devices in two ways: by changing SSH-related libraries (SSH, sshd, ssh-add, etc.) or by using a shared library (SSH) “libkeyutils”. Ebury provides remote root access to the infected device, even if its owner regularly changes passwords.

The attackers often change security settings and install additional malware on infected computers in order to use the device for sending spam, and redirecting users to malicious pages.

Recommendations for those infected:

  • Reinstall the operating system;
  • Check that other devices are not infected with Ebury SSH rootkits and change their passwords or regenerate SSH connection keys.